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Preface 



The security market has failed. 

On Tuesday, October 8, 2003 Aaron Caffrey, age nineteen, began his 
trial. The charge: subverting the operation of the Port of Houston. 
His prosecution had been a model of international interaction, with the 
British and American authorities cooperating at every step. Mr. Caffery 
was to be tried in the United Kingdom. 

The Port of Houston took all normal security practices. The Port 
had developed web-based services for assisting shipping pilots as they 
moor, in coordinating loading and unloading companies, and in harbor 
navigation. In a denial of service attack Aaron brought the port to a halt 
on September 20, 2001. (A denial of service attack consists of repeated 
initiations of contact, with the attacking machine pretending to be many 
different machines. An analogous attack would be to repeatedly call 
someone on the phone and remaining silent until the hearer hangs up, 
then repeating the process constantly so no work could be completed.) 
The initial stated reason for the attack? A person from Houston had 
taunted Aaron about the object of his on-line affections. 

Aaron Caffery walked free from that courtroom in October 2003. Se- 
curity experts explained that there was no way to disprove his assertion 
that his threats against Houston, his association with a hacker group, 
and his talents proved nothing. The defense illustrated that there was 
no way to illustrate beyond a reasonable doubt that Caffery’ s machine 
itself was not subverted, so that it acted upon direction other than its 
owners. 

A hacker who can both manipulate code and illustrate that no one is 
immune to hackers, Aaron Caffrey is an autistic young man. 

This is the state of the security of the American information infras- 
tructure. 

In July, 2003 a virus, a variant of one originally named SoBig, infected 
one out of every three computers in China. The virus provides spammers 
with the processing power and bandwidth of the infected computer in 
their distribution of unwanted mass email. The virus caused mail server 
crashes, denial of service attacks, and encouraged the spread of an unre- 
lated virus masquerading as a Microsoft patch for SoBig. SoBig was the 
most expensive in history - until MyDoom arrived six months later. In 
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the time it takes to publish this work, another even more virulent and 
expensive virus will undoubtedly appear. 

This is the state of the security of the global information infrastruc- 
ture. 

Certainly, the web server at the Port of Houston was economically and 
politically important enough to warrant sufficient investment in security. 
Indeed, the Port of Houston is important enough that a single teenager 
should not be able to single-handedly stop the port from functioning. 

Similarly, the investment in personnel, networks, and sheer mass of 
individual time would argue that a virus such as SoBig would have been 
more effectively prevented than battled, or tolerated as a chronic insolv- 
able problem, like malaria in the tropics. 

Why have market mechanisms thus far failed to create secure net- 
works? 

The Internet is critical to all sectors of the economy and integrated 
into government. Security technologies do exist, and capable program- 
mers can implement secure code. Programming projects and operating 
systems based on secure design principles populate research databases. 
Yet the network at the Port of Houston was sabotaged by a creative 
teenager with limited programming experience. 

Why? Clearly the answer to this question must include more than 
technology. There is a problem in the economics of security, and more 
broadly in the economics of information control. These problems emerge 
as security violations, spam, ‘private' databases indexed by Google, and 
products based on practices exposed as snake oil decades before. 

Computer viruses and worms are no longer the domains of experts 
only. Every business experienced infections and disruptions from in- 
fected machines in the latest generation of worms. Economics combined 
with a management, organization theory, and computer security together 
can address the chronic problems of economic security. Yet the prob- 
lems of security have not, before now, been systematically examined in 
economic and management terms. This text, rather than trying to en- 
courage managers and practitioners to become security experts uses the 
tools of economics to bear on the problems of network security. The re- 
sult is a narrative about the economic problems of information security, 
a set of tools for examining appropriate investment in computer secu- 
rity, all embedded in a set of rich metaphors for balancing the various 
alternative for computer security. 

The security market in the case of networked information systems can 
be thought of in many different ways, and each view suggest a different 
set of regulatory and economic responses. Yet, for all the metaphors 
that may apply there is a single potential measure: dollars. Economics 
offers a powerful lens for understanding the apparently wildly irrational 
behavior of software providers, companies, home users and even nation 
states. This text brings all the tools of economics to bear on the indi- 
vidual, corporate, and national problems of computer security. Perverse 
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incentives, lock-in, irrational risk evaluations and bad information all 
play a role in creating the chronically broken network. 

The economics of information security is not a metaphor for computer 
security, like war or health. Recognizing the economics of information 
security allow managers to alter incentives and policy makers to better 
evaluate policies that may be presented under the warfare metaphor. 

A simple example of corporate incentives is that of patching vulner- 
abilities. Individual departments must pay for their own IT services, 
machines, and employee time. Engaging ITS to support employees and 
requiring employees to patch creates immediate costs for each manager. 
Charging each section for vulnerabilities will enhance company wide se- 
curity, but such a solution comes from consideration of the complexities 
of the security market. Assuming that security works like all other goods 
has and will continue to result in the creation of perverse incentives that 
cause managers to ignore the long term issue of security in favor of goals 
with more pressing time frames. 

While the elephant of computer security emerges piecewise, with the 
ear and tail and foot, the volume as a whole offers a clear picture of 
computer and information security. Such clarity could only be obtained 
by painting the whole picture with the palette provide by economics. 

Camp’s article discusses the concept of security vulnerabilities as an 
externality, and the direct implication of such externalities for market 
construction. Of course the use of economics proposes that security must 
be some kind of tradable or measurable good. Perhaps security is that 
canonical economic failure - a public good. In this case one person’s 
security investment is another’s gain, therefore no one makes the ade- 
quate investment. Or perhaps it is not the value to others but the simple 
lack of return that means that there is little investment. If security is 
an externality it can still be subject to measurement. Understanding 
security as an externality may inform the security debate and, as the 
chapter concludes, offer some insight in how to manage it in a corporate 
environment. 

Yet perhaps vulnerabilities and externalities is too narrow a descrip- 
tion of security. What kind of good exactly is being measured? Hal 
Varian offers three scenarios. 

First, security can be defined by the lowest investment, just as the 
height of a protective wall is defined by its lowest or weakest point. Even 
barbarians knew this, as they aimed for the gate and not the towers. 

Second, the level of security can be determined by the greatest invest- 
ment, as when the town is protected by concentric walls. The highest 
wall provides the greatest protection (or rather, the combination of the 
strongest gate and highest wall). 

Alternatively, the security level can be determined by the average 
investment. In this case consider the community involved in the con- 
struction of the wall - the wall is as high as the combined effort of all 
participants. Individual effort can raise the average somewhat, but not 
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significantly raise the wall. Consumer behavior reflects the assertion that 
security and privacy claims are not trustworthy. Few consumers exhibit 
the understanding of “trusted” computing as trustworthy. Indeed, secu- 
rity is more complex than most goods in that its primary function will 
be subverted by its users. Passwords written on post-it notes, shared 
passwords, violations of security policy, and sharing of security informa- 
tion are all common. Why is security both so desirable and so frequently 
subverted? 

Control and verification of information are the critical goal of security 
and privacy. Yet control of information on an individual machine may 
be of interest to more then the user. In the most common examples, a 
remote party with commercial interests will want to constrain the use of 
information; however, even more common is the desire of en employer 
to control information use on the employee’s machine. One economics 
of security is needed to analyze remote control of information, whereas 
distinct economic concepts are required to discuss the protection of a set 
of machines with a define periphery. 

Digital rights management systems are designed by producers with 
complex commercial interests; these interests are often in conflict with 
the interests of the user. As a result, the most consistent and highest 
investment in security has been in the interest of manufacturers, not 
consumers. Trusted computing has been primarily used to implement 
bundling. Cell phone companies tie the battery to the phone; auto- 
mobile companies tie maintenance to the dealership. What would be 
theoretically prevented in the contract can be prohibited by the code. 

Ross Anderson has illustrated this dichotomy in a series of case studies 
of security as applied in modern technologies. The nature of security as 
a good is complicated by the fact that it is inherently a bundled good. 
You cannot purchase security in the abstract. There must be a threat to 
be considered and the security investment (average, lowest or highest) 
must be commensurate with and targeted to that threat. In all of these 
the threat as perceived by the user is the threat of external control; 
while the threat as perceived by the producer is that of a consumer out 
of control. 

Having acknowledged that producer security is at odds with consumer 
Desires, it is feasible to examine investment from the perspective of the 
producer or the consumer. Beginning with the producer, Stephen Lewis 
asks if producers have accurately and correctly invested in digital rights 
management technology. Indeed, as shown in the next chapter by Stuart 
Schechter, investments in encryption against P2P networks are in fact 
changing the balance. But the balance is being changed in favor of 
the file traders and against the interests of those who would license 
the content. Beginning with the argument about the current uses of 
security technology, observing the incentives in peer to peer systems, 
the final chapter in this section argues that trusted computing may end 
up supporting the user and subverting the investors. 
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Indeed if reliable security information is so difficult to find, the in- 
centives so hard to evaluate, and the results so unreliable, why should 
anyone share it? What are the economic consequences of sharing infor- 
mation? Esther Gal-or and Anindya Ghose examine the generic question 
of sharing security information, to find that it is in fact anything but 
generic. The size of the firm, the nature of the market in which the firm 
is competing, and even the functional requirements for anti-trust policy. 
Information sharing among firms and across industries varies widely, and 
this chapter explains why. 

Hussein offers a broad look of the quantitative examinations of com- 
puter security economics. The findings are remarkably consistent for a 
young branch of the dismal science. There are a few discordant findings, 
illustrating that there is no single unified theory of information security 
but that a range of possibilities suggests reasons for underinvestment. 

If security and confidentiality are primarily targeted at preventing 
firm loss, then what are the limits to security? If security is primarily a 
conceptual issue, then attacks on reputation as well as integrity are a se- 
curity issue. Considering the vast investment in brands, are investments 
in security rational? 

Sharing information may lead to more investment and thus a decrease 
in losses to security breaches. Beyond direct loss, what is the loss in value 
of the firm when there are security breaches? Larry Gordon and Marty 
Loeb illustrate that security breaches by and large have little effect on 
stock market evaluation of a firm. Yet when confidentiality is lost, then 
there is a high price to pay. The implicit argument is that the market 
responds very strongly to losses of privacy and less strongly to losses 
of security. The security market cannot be extricated from the privacy 
market, without serious misunderstandings of both. 

In rejecting techniques that require effort, users are rejecting invest- 
ment in the very confidentiality that the market so values. Aquisti argues 
that is because users share the characteristic so often identified in the 
stock market itself: extremely high long term discounting. Users value 
the current convenience offered by privacy violations at current value, 
and implement extraordinary discounts for the later potential harm. 

This observation is validated from an entirely different perspective by 
Paul Syverson in his examination of the security market. Discounts and 
probabilities are not well understood when consumers offer information 
that could be used against them. However that immediate discount is 
extremely well understood. 

Shostack makes a counter observation that it is perhaps not the dis- 
counts and risk calculations that make users so casual about protecting 
their own information. Perhaps users simply have no understanding of 
the threat. Just as some miners refused to take the accumulation of gas 
seriously as a threat, and no one understood why workers on the Brook- 
lyn Bridge were dying of the bends, individuals today do not understand 
the value of privacy. To make an analogy, why would someone buy cur- 
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tains and then offer details of their home over the Internet? The value 
of security for the end user is even more difficult to understand than the 
value of privacy for the consumer. The overall evaluation of the security 
market when seen from the privacy perspective is not optimistic. 

Landwehr argues explicitly that the information flows in the security 
market are broken. Not only do consumers not understand the issues 
of privacy and security risks, but even vendors themselves do not un- 
derstand security. Bill Gates’ vaulted commitment to security includes 
training in security for 7,000 developers, yet there has not been a month 
without the release of a security patch for Microsoft. Even the con- 
siderable financial and technical resources of Microsoft cannot result in 
coherent application of security research implemented decades ago in a 
complex computing environment characterized by unpredictable inter- 
actions. 

If security and privacy policies are “lemons markets”, then simple 
claims of investment in security are far cheaper and easier than actually 
securing a site. If the claims are security are adequate to insure customer 
trust (and possibly cause malevolent profit-oriented actors to target oth- 
ers) then there is no reason for investment in security or privacy. Like 
false claims about a reliable used cars, false claims of secure software 
and false claims of privacy policy have no costs. Ironically, the lemons 
argument suggest that the core security failure in the information infras- 
tructure is one of trustworthy information. Vila and Greenstadt argue 
clearly for this counter-intuitive possibility. 

Integrating personal actions in security and privacy is a significant 
contribution of the next chapter. SoBig, MyDoom, and many other vi- 
ral variants depend on a large population of unsecured user machines to 
flourish. Users express great concern for security, and privacy concerns 
have been monotonically increasing. Given this concern, how can ob- 
served user behaviors that illustrate that users share information readily 
and avoid installing security patches be explained? 

Acquisiti uses the issue of on-line and off-line identities to illustrate 
how economics can shed light on the apparent irrationalities of both 
individuals and the market, regarding the confidentiality of information. 

Odlyzko explains that users are correct in rejecting security designed 
for them by merchants and providers because the greatest value for mer- 
chants in controlling information is to implement price discrimination. 
Offering information to a merchant who can then charge you more is 
not in the interest of a consumer, even if the issues of control were not 
relevant. Security systems that violate privacy are directly opposed to 
the interest of the user when price discrimination is more likely than per- 
sonal security loss. In economic terms, users are balancing risks when 
selecting privacy. 

A more detailed discussion of users who reject security is provided in 
the aptly-titled, “We Want Security But We Hate It: The Foundations 
of Security Techo-Economics in the Social World”. The undercurrents 
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of user resistance to security include economics, as well as being a social 
and psychological phenomena. Beyond losing money through price dis- 
crimination, users seek to maintain control and confidentiality. When 
much security is implemented in order to best reflect vendor needs (as 
when security is provided as part of digital rights management) users 
seek to avoid the “features” offered in mainstream security solutions. 

Perhaps users are motivated but misinformed. Certainly, corporate 
organizations are not discouraged from investing in security because of 
concerns of control of the desktop - this would be a feature and not a bug. 
Perhaps the critical problem in the information age is the information 
flow. Information is calculated and generated. Standards are made. 
Committees meet. Yet for all the research and effort, homes users do 
not see themselves at risk. Corporations do not develop appropriate 
responses. 

In fact, manipulation of information and users remains a threat that 
cannot be addressed through technology alone. Can economics hope to 
address the problems of manipulation of authorized individuals and naive 
home users? Economics and markets themselves can be manipulated 
with the same tools of misinformation. “Cognitive Hacking” can apply 
to economic systems and information systems. 

Yet within the generally bleak picture of information failure, market 
failure and suspicion there are cases of remarkable success. We end with 
two of these: secure sockets layer and the cable industry. 

Having used economics to extract the distinctions between security 
and privacy as information control mechanisms in the market, the book 
closes with some specific examples of security in markets. 

The story of the secure sockets layer and secure telnet illustrate that 
a chronic low level of security need not be an external state of affairs, no 
matter how long term or ubiquitous the state of affairs. The cable in- 
dustry illustrates that lock-in need not lock out security, if the incentives 
are properly aligned. The following examination of the secure shell and 
the secure sockets layer illustrates that forward movement is possible 
even in a distributed, chaotic market. However, even the success stories 
of Larochelle and Rosasco illustrate that history offers as much caution 
as promise, as each tale offers specific conditions and constraints that 
enable security diffusion. 

Economics offers a powerful lens for the examination of security. This 
text aims to promote a more sophisticated vision of security in an ef- 
fort to assist designers in making systems that respect the alignment of 
incentives, managers in aligning their investments with the most criti- 
cal security problems, and policy makers in understanding the nature of 
the chronic, core problem of modern computer security. Bruce Schneier 
explains better than any how apparently technical failures are in fact 
economic failures, and his explanation provides the final thoughts in 
this text. 
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Incentives in the security market are badly aligned, and the technology 
is not understood. Ironically in the information age, trustworthy infor- 
mation is increasingly difficult to locate. To paraphrase Mark Twain: A 
virus can be half way around the world while a patch is still putting its 
boots on. 

L Jean Camp 
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SYSTEM RELIABILITY AND FREE RIDING 

Hal Varian 

School of Information Management and Systems, UC Berkeley* 
hal @sims. berkeley.edu 



In the total effort case, the agents with the least cost of effort 
to avoid systems failure should bear all the liability. 

System reliability often depends on the effort of many individuals, mak- 
ing reliability a public good. It is well-known that purely voluntary 
provision of public goods may result in a free rider problem: individuals 
may tend to shirk, resulting in an inefficient level of the public good. 

How much effort each individual exerts will depend on his own benefits 
and costs, the efforts exerted by the other individuals, and the technology 
that relates individual effort to outcomes. In the context of system 
reliability, we can distinguish three prototypical cases. 

Total effort. Reliability depends on the sum of the efforts exerted by 
the individuals. 

Weakest link. Reliability depends on the minimum effort. 

Best shot. Reliability depends on the maximum effort. 

Each of these is a reasonable technology in different circumstances. 
Suppose that there is one wall defending a city and the probability of 
successful defense depends on the strength of the wall, which in turn 
depends on the sum of the efforts of the builders. Alternatively, think 
of the wall as having varying height, with the probability of success 
depending on the height at its lowest point. Or, finally, think of a there 
being several walls, where only the highest one matters. Of course, many 
systems involve a mixture of these cases. 



*First published in ICEC2003: Fifth International Conference on Electronic Commerce, N. 
Sadeh, ed., ACM Press, 2003, pp. 355-366. 
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1. Literature 

[Hirshleifer, 1983] examined how public good provision varied with 
the three technologies described above. His main results were: 

1 With the weakest-link technology, there will be a range of Nash 
equilibria with equal contributions varying from zero to some max- 
imum, which is determined by the tastes of one of the agents. 

2 The degree of under provision of the public good rises as the num- 
ber of contributors increases in the total effort case, but the effi- 
cient amount of the public good and the Nash equilibrium amount 
will be more-or-less constant as the number of contributors in- 
creases. 

3 Efficient provision in the best-effort technology generally involves 
only the agents with the lowest cost of contributing making any 
contributions at all. 

[Cornes, 1993] builds on Hirshleifer’s analysis. In particular he ex- 
amines the impact of changes in income distribution on the equilibrium 
allocation. [Sandler and Hartley, 2001] provide a comprehensive sur- 
vey of the work on alliances, starting with the seminal contribution of 
[Olson and Zeckhauser. 1966]. Their motivating concern is international 
defense with NATO as a recurring example. In this context, it is natural 
to emphasize income effects since countries with different incomes may 
share a greater or lesser degree of the burden of an alliance. 

The motivating example for the research reported here is computer 
system reliability and security where teams of programmers and system 
administrators create systems whose reliability depends on the effort 
they expend. In this instance, considerations of costs, benefits, and 
probability of failure become paramount, with income effects being a 
secondary concern. This difference in focus gives a different flavor to the 
analysis, although it still retains points of contact with the earlier work 
summarized in [Sandler and Hartley, 2001] and the other works cited 
above. 

2. Notation 

Let Xi be the effort exerted by agent i — 1,2, and let P(F(x\,x 2 )) be 
the probability of successful operation of the system. Agent i receives 
value Vi from the successful operation of the system and effort Xi costs 
the agent CiXi. 

The expected payoff to agent i is taken to be 
P(F(x i,x 2 ))vi - c^i 

and the social payoff is 

P{F(x 1 , x 2 ))[v\ + v 2 ) - C 1 Z 1 - c 2 x 2 . 
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We assume that the function P(F) is differentiable, increasing in F, and 
is concave, at least in the relevant region. 

We examine three specifications for F, motivated by the taxonomy 
given earlier. 

Total effort. F(x 1 , 22 ) — x\ + x 2 . 

Weakest link. F{x\, x 2 ) = min(a;i, x 2 ). 

Best shot. F{x\,X2) = max(a:i,a:2). 

3. Nash equilibria 

We first examine the outcomes where each individual chooses effort 
unilaterally, and then compare these outcomes to what would happen 
if the efforts were coordinated so as to maximize social benefits minus 
costs. 



Total effort 

Agent 1 chooses £1 to solve 

maxviPfxi + X2) - c\X\, 
*1 

which has first-order conditions 



v\P'{x\ + X 2 ) - Ci. 

Letting G be the inverse of the derivative of P', we have 



X\ + X2 = G(ci/v\). 



Defining x\ — G{cx/v 1 ) we have the reaction function of agent 1 to agent 
2’s choice 

fi(x 2 ) = xi -x 2 . 



Similarly 



f 2 (xi) =x 2 -xi. 



These reaction functions are plotted in Figure 1.1. It can easily be seen 
that the unique equilibrium involves only one agent contributing effort, 
with the other free riding, except in the degenerate case where each 
agent has the same benefit/cost ratio: v 2 /c 2 ~V\/c\. 

Let us suppose that v 2 /c 2 > v\/c\. Then, x 2 > it, so agent 2 con- 
tributes everything and agent 1 free rides. 



FACT 1 In the case of total effort, system reliability is determined by 
the agent with the highest benefit-cost ratio. All other agents free ride 
on this agent. 

The fact that we get this extreme form of free riding when utility takes 
this quasilinear form is well-known; see, for example, [Varian, 1994] for 
one exposition. 
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Figure 1.1. Nash equilibrium in total effort case. 



Weakest link 

Agent l’s problem is now 

maxt;iP(min(xi,a:2)) — c\X\. 

Xl 

It is not hard to see that agent 1 will want to match agent 2’s effort if 
X 2 < xi, and otherwise set x\ — x\. The two agents’ reaction functions 
are therefore 



fi{x 2 ) = min(a: 2 ,a: 1 ) (1.1) 

h(x l) = min(a; 1 , i 2 )- (1-2) 

These reaction functions are plotted in Figure 1.2. Note that there will 
be a whole range of Nash equilibria. The largest of these will be at 
min(ii,i 2 )- This Nash equilibrium Pareto dominates the others, so it 
is natural to think of it as the likely outcome. 

FACT 2 In the wecikest-Iink case, system reliability is determined by the 
agent with the lowest benefit-cost ratio. 



Best shot 

In the weakest link case it is not hard to see that there will always be 
a Nash equilibrium where the agent with the highest benefit-cost ratio 
exerts all the effort. What is more surprising is that there will sometimes 
be a Nash equilibrium,, where the agent with the lowest benefit-cost ratio 
exerts all the effort. 2 This can occur when the agent with the highest 
benefit-cost ratio chooses to exert zero effort, leaving all responsibility 
to the other agent. 



2 I am grateful to Xiaopeng Xu for pointing this out to me. 
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(*2) 




Figure 1.2. Nash equilibrium in weakest link case. 
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Figure 1.3. Nash equilibria in best-shot case. 



To see an example of this, suppose that the agents’ utility functions 
have the form Vi lntr - where x = min(a;i, X2). (True, In x is not a 
probability distribution, but that makes no difference for what follows.) 

The first-order condition is v^/x = 1, so x\ = v\ or 0, depending on 
whether UjlnVi — Vi is greater or less than Vi\nx 2 - Hence x\ — v\ if 
£2<th/e and X\ = 0 if %i > v\/e. 

In order to create a simple example, suppose that v\ = e and V2 — 2e. 
This gives us X\ = e for xi < 1 and zero otherwise, while x 2 = 2e for 
rci <2 and zero otherwise. These reaction curves are depicted in Figure 
1.3. Note that in the case depicted there are two equilibria, with each 
agent free-riding in one of the equilibria. 

The three baseline cases we have studied, total effort, weakest link, 
and best shot have three different kinds of pure-strategy Nash equilibria: 
unique, continuum, and (possibly) two discrete equilibria. 
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4. Social optimum 
Total effort 

The social problem solves 

max P(x i + x 2 )[v\ + v 2 ] - cui - 022 : 2 - 

ail 1^2 

The first-order conditions 

P'(xi + X 2 )[v\ + v 2 J < Cl (1.3) 

P'(xi + X 2 )[v 1 + V 2 ] < C 2 . (1.4) 

At the optimum, the agent with the lowest cost exerts all the effort. Let 
Crmn = min{ci,c 2 }, so that the optimum is determined by 

x * + x 2 = G(c m i n /(vi + V 2 )). (1-5) 

Summarizing, we have: 

Fact 3 In the total effort case, there is always too little effort exerted 
in the Nash equilibrium as compared with the optimum. Furthermore, 
when f 2 /c 2 > vi/ci but C\ < c 2 , the “wrong” agent exerts the effort. 

Best shot 

The social and private outcomes in this case are the same as in the 
total effort case. 

Weakest link 

The social objective is now 

max P(min(xi,x 2 ))[t>i +t> 2 ] - cixi - c 2 x 2 . 

X\,X2 

At the social optimum, it is obvious that x\ — x 2 so we can write this 
problem as 

max P(x)[ni +t> 2 ] - [ci + c 2 ]x, 
which has first-order conditions 

P'(x)[v 1 + V 2 ] = ci + c 2 , 



or 

Xi = x 2 = X = G((d + Ci)/(v 1 + v 2 )). (1.6) 



FACT 4 The probability of success in the socially optimal solution is al- 
ways lower in the case of weakest link that in the case of total effort. 

This occurs because the weakest link case requires equal effort from 
all the agents, rather than just effort from any single agent. Hence it is 
inherently more costly to increase reliability in this case. 
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5 . Identical values, different costs 

Let n be the number of agents and, for simplicity, set Vi = 1 for all 
i = 1 , . . . , n. In the total-effort case, the social optimum is given by 

nP'(x) — min Ci, 

while the private optimum is determined by 

P'{% ) — min Cj. 

In the weakest-link case, the social optimum is determined by 

nP'(x) = Y1 C ^ 
i 

or 

p '( x ) ~ h^ Ci ' 

i 

while the private optimum is determined by 

P'(x ) — maxc,. 

If we think of drawing agents from a distribution, what matters for 
system reliability are the order statistics — the highest and lowest costs 
of effort. 

FACT 5 Systems will become increasingly reliable as the number of agents 
increases in the total efforts case, but increasingly unreliable as the num- 
ber of agents increases in the weakest link case. 

6. Increasing the number of agents 

Let us now suppose that = Ci = 1 and that the number of agents 
is n. In this case, the social optimum in the case of total effort is deter- 
mined by 

nP'(J2 x i) = 1 . 

i 

or 

= Gl/n). 

i 

The Nash equilibrium satisfies 

p, (E x i) = !. 

i 

or 

Y, x i = G(l). 

i 

Fact 6 In the total efforts case with identical agents, the Nash outcome 
remains constant as the number of agents is increased, but the socially 
optimal amount of effort increases. 
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In weakest-link case, the social optimum is determined by 

nP'(x) = n, 

which means that the socially optimal amount of effort remains constant 
as n increases. In the Nash equilibrium 

P'(x) = 1, 



or 

x = G( 1). 

FACT 7 In the weakest-link case with identical agents, the socially op- 
timal reliability and the Nash reliability are identical, regardless of the 
number of agents. 

7. Fines and liability 
Total effort 

Let us return to the two-agent case, for ease of exposition, and consider 
the optimal fine, that is, the fine that induces the socially optimal levels 
of effort. Let us start with the total effort case, and suppose that agent 1 
has the lowest marginal cost of effort. If we impose a cost of u 2 on agent 
1 in the event that the system fails, then agent 1 will want to maximize 

V\P(X\ 4- X 2 ) + T?2 [1 - P{x 1 + X 2 )] - C\X\, 

The first order condition is 

(l>l + V 2 )P'(xi + x 2 ) = Cl, 

which is precisely the condition for social optimality. This result easily 
extends to the n-person case, so we have: 

FACT 8 A fine equal to the costs imposed on the other agents should be 
imposed on the agent who has the lowest cost of reducing the probability 
of failure. 

Alternatively, we could consider a strict liability rule, in which the 
amount charged in the case of system failure is paid to the other agent. 
If the "fine” is paid to agent 2, his optimization problem becomes 

V 2 P(xi + X 2 ) + [1 - P{x 1 + X 2 )]V 2 - C 2 X 2 . 

Simplifying, we have 

v 2 - C 2 X 2 , 

so agent 2 will want to set x 2 = 0. But this is true in the social optimum 
as well, so there is no distortion. Obviously this result is somewhat 
delicate; in a more general specification, there would be some distortions 
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from the liability payment since it will, in general, change the behavior 
of agent 2. If the liability payment is too large, it may induce agent 
2 to seek to be injured. This is not merely a theoretical issue, as it 
seems likely that if liability rules would be imposed, each system failure 
would give rise to many plaintiffs, each of whom would seek maximal 
compensation. 

The fact that the agents with the least cost of effort to avoid system 
failure should bear all the liability is a standard result in the economic 
analysis of tort law, where it is sometimes expressed as the doctrine of 
the “least-cost avoider.” As [Shavell, 1987], page 17-18, points out, this 
doctrine is correct only in rather special circumstances, of which one is 
the sum-of-efforts case we are considering. 

Weakest link 

How does this analysis work in the weakest-link case? Since an in- 
cremental increase in reliability requires effort to be exerted by both 
parties, each agent must take into account the cost of effort of the other. 

One way to do this is to make each agent face the other’s marginal 
cost, in addition to facing a fine in case of system failure. Letting x = 
min{a;i, X 2 }, the objective function for agent 1, say, would then be: 

Vi P{x) - [1 - P(x)\v 2 - ClXl - C 2 Xl- 
Agent 1 would want to choose x — x\ determined by 
Ox +v 2 )P'{x) = Ci + c 2 , 

which is the condition for social optimality. Agent 2 would make exactly 
the same choice. 

Let us now examine a liability rule in which each must compensate 
the other in the case of system failure. The objective functions then take 
the form 



maxn v\P(x) - (1 - P(x))v 2 + (1 - P[x))vi — C 1 X 1 (1.7) 

max X2 v 2 P{x) - (l - P(x))v\ + [\ - P{x))v 2 - c 2 x 2 (1.8) 

(1.9) 

Note that when the system fails, each agent compensates the other for 
their losses, but is in turn compensated. 

Simplifying, we can express the optimization problems as 

maxjj v\ — v 2 + v 2 P(x) — c\X\ (110) 

max X2 v 2 - Vi + viP(x) - c 2 x 2 (1 11) 

This leads to first order conditions 



V 2 P'(x) = Cl 

ViP'ix) = c 2 



( 1 . 12 ) 

(1.13) 
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If we are in the symmetric case where v\ = v 2 and c\ = c 2 (or more 
generally, where iqci — ti 2 c 2 ), then both of these equations can be satis- 
fied and, somewhat surprisingly, the solution is the social optimum. Of 
course, if all agents are identical, then there is no reason to impose a 
liability rule, since individual optimization leads to the social optimum 
anyway, as was shown earlier. 

If we are not in the symmetric case, the equilibrium will be determined 
by min{ci/u2, C2/U1}. In this case, strict liability does not result in the 
social optimum. 

The resolution is to use the negligence rule. Under this doctrine, 
the court establishes a level of due care, x. In general, this could be 
different for different parties, but that generality is not necessary for 
this particular case. If the system fails, there is no liability if the level 
of care/effort meets or exceeds the due care standard. If the level of 
care/effort was less than the due care standard, then the party who 
exerted inadequate care/effort must pay the other the costs of system 
failure. 

Although the traditional analysis of the negligence rule assumes the 
courts determine the due care standard, an alternative model could in- 
volve the insurance companies setting a due care standard. For example, 
insurance companies could offer a contract specifying that the insured 
would be reimbursed for the costs of an accident only if he or she had 
exercised an appropriate standard of due care. 

Let x* be the socially optimal effort level; i.e., the level that solves 

max (tq + V2 )P{x) - (ci + c 2 )x. 

X 

It therefor satisfies the first-order condition 

(vi + V 2 )P'{x*) = Cl + C 2 . 

We need to show that if the due care standard is set at x = x*, then 
£1 = x 2 — x is a Nash equilibrium . 3 

To prove this, assume that X2 = x. We must show that the optimal 
choice for agent 1 is mi = aq. Certainly we will never have X\ > x since 
choosing x\ larger than x has no impact on the probability of system 
failure and incurs positive cost. Will agent 1 ever want to choose x 1 < x? 
Agent l’s objective function is 

UlP(xi) + (1 - P(x i))l>2 - C\X\. 

Computing the derivative, and using the concavity ofP(x), we find 
{«! + V 2 )P'{x 1) - Cl > (v\ + V 2 )P'(x*) ~ C]_ = C 2 . 



3 Of course, there will be many other Nash equilibria as well, due to the weakest-link tech- 
nology. The legal due-care standard has the advantage of serving as a focal point to choose 
the most efficient such equilibrium. 
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Hence agent 1 will want to increase his level of effort when X\ < X\. 
Summarizing: 

FACT 9 In the case of weakest link, strict liability is not adequate in 
general to achieve the socially optimal level of effort, and one must use 
a negligence rule to induce the optimal effort. 

Again, this is a standard result in liability law, which was first estab- 
lished by [Brown, 1973]; see Proposition 2.2 in [Shaved, 1987], page 40. 
The argument given here is easily modified to show that the negligence 
rule induces optimal behavior in the sum-of-efforts case as well, or for 
that matter, for any other form P(x 1 , 22 ). 

8. Sequential moves 
Total effort 

Let us now assume that the agents move sequentially, where the agent 
who moves second can observe the choice of the agent who moves first. 
The following discussion is based on [Varian, 1994]. 

We assume that agent 1 moves first. The utility of agent 1 as a 
function of his effort is given by, 

Ui(x 1) = v\P(x 1 + f 2 (x 1)) - cm. 

which can be written as 

Ui(xi) = viP(xi + max{^2 - £i, 0}) - cix\. 

We can also write this as 

TJ { \ _ / V\P(X2) - C\X\ for X\ < X2 
H a; U \ viP(xi) — C1X1 for X\ > x 2 . 

It is clear from Figure 1.4 that there are two possible optima: either the 
first agent exerts zero effort and achieves payoff viP(x 2 ) or he contributes 
xi and achieves utility Vi P(xi) — c 1 S 1 . 

Case 1. The agent with the lowest value ofv l /ci moves first. In this 
case the optimal choice by the first player is to choose zero effort. 
This is true since 

viP(x 2 ) > v\P{xi) > viP(xi) - ci2i. 

Case 2. The agent with the highest value ofv l /ci is the first contributor. 
In this case, either contributor may free ride. If the agents have 
tastes that are very similar, then the first contributor will free ride 
on the second’s contribution. However, if the first mover likes the 
public good much more than the second, then the first mover may 
prefer to contribute the entire amount of the public good himself. 
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Figure 1.4. Sequential contribution in total efforts case. 



Referring to Figure 1.4 we see that there are two possible subgame per- 
fect equilibria: one is the Nash equilibrium, in which the agent who has 
the highest benefit-cost ratio does everything. The other equilibrium is 
where the agent who has the lowest benefit-cost contributes everything. 
This equilibrium cannot be a Nash equilibrium since the threat to free 
ride by the agent who likes the public good most is not credible in the 
simultaneous-move game. 

FACT 10 The equilibrium in the sequential-move, the total-effort game 
always involves the same or less reliability than the simultaneous-move 
game. 

Note that it is always advantageous to move first since there are only 
two possible outcomes and the first mover gets to pick the one he prefers. 

Fact 11 If you want to ensure the highest level of security in the sequential- 
move game, then you should make sure that the agent with the lower 
benefit-cost ratio moves first. 

Best-effort and weakest-link 

The best-effort case is the same as the total-effort case. The weakest- 
link case is a bit more interesting. Since each agent realizes that the 
other agent will, at most, match his effort, there is no point in choosing 
a higher level of effort than the agent who cares the least about reliability. 

On the other hand, there is no need to settle for one of the inefficient 
Nash equilibria either. 

FACT 12 The unique equilibrium in the sequential-move game will be 
the Nash equilibrium in the simultaneous-move game that has the highest 
level of security, namely min (5 1 , xf). 
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[Hirshleifer, 1983] recognizes this and uses it as an argument for se- 
lecting the Nash equilibrium with the highest amount of the public good 
as the “reasonable” outcome. 

9. Adversaries 

Let us now briefly consider what happens if there is an adversary who 
is trying to increase the probability of system failure. First we consider 
the case of just two players, then we move to looking at what happens 
with a team on each side. 

We let x be the effort of the defender, and y the effort of the attacker. 
Effort costs the defender c and the attacker d. The defender gets utility 
v if the system works, and the attacker gets utility w if the system fails. 
We suppose that the probability of failure depends on “net effort,” x — y, 
and that there is a maximal effort x and y for each player. 

The optimization problems for the attacker and defender can be writ- 
ten as 



max vP( x — y) — cx 


(1.14) 


max to[l — P(x — y)\ — dy. 


(1.15) 


The first-order conditions are 


vP'(x -y) — c 


(1.16) 


wP'(x - y) = d. 


(1.17) 



Let G(-) be the inverse function of P'(x - y). By the second-order 
condition this has to be locally decreasing, and we will assume it is 
globally decreasing. We can then apply the inverse function to write the 
two reaction functions: 



x — y = G(c/v) (1.18) 

x — y = G(d/w). (1-19) 

Of course, these are only the reaction functions for interior optima. 
Adding in the boundary conditions gives us: 

x = min{max{G(c/w) + y, 0}, x} (L20) 

y = min{max{G(d/w) — x, 0}, y}. (1.21) 



We plot these reaction functions in Figure 1.5. Note that there are two 
possible equilibrium configurations. If c/v < d/w, we have x* = G(c/v ) 
and y* — 0, while if c/v > d/w we have x* = x and y* — x — G[d/w). 

Intuitively, if the cost-benefit ratio of the defender is smaller than that 
of the attacker, the attacker gives up, and the defender does just enough 
to keep him at bay. If the ratio is reversed, the defender has to go all 
out, and the attacker pushes to keep him there. 




14 



THE ECONOMICS OF INFORMATION SECURITY 




Figure 1.5. Reaction functions in adversarial case. 



10. Sum of efforts and weakest link 



In the sum-of-efforts case the reaction functions are: 



n m 

i= 1 i- 1 

n m 

i= 1 2=1 






G(dj/wj). 



( 1 . 22 ) 

(1.23) 



Here the party with the lowest cost/benefit ratio exerts effort, while 
everyone else free rides. This becomes a “battle between the champions.” 
In the weakest link case, the conditions for optimality are: 

min{xi,. . . ,x n } - min{yi,. . . ,y m } = G(c } /vj) (1.24) 

min{a:i, . . . , x n } — min{?/i , . . . , y m } = G(dj/wj). (1.25) 

As opposed to a “battle of champions” we now have a “battle between 
the losers,” as the outcome is determined by the weakest player on each 
tarn. 

Note that when technology is total effort, large teams have an ad- 
vantage, whereas weakest link technology confers an advantage to small 
teams. 



11. Future work 

There are several avenues worth exploring: 

■ To what extent to these results extend to the more general frame- 
work of [Cornes, 1993] and [Sandler and Hartley, 2001], The pos- 
sibility of Pareto improving transfers is particularly interesting. 
Though [Cornes, 1993] examined this in the context of income 
transfers, knowledge transfers would be particularly interesting in 
our context. 
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■ One case where transfers are important are when agents can sub- 
sidize other agents’ actions, as in [Varian, 1994]. The subgame 
perfect equilibrium of “announce subsidies then choose actions” is 
Pareto efficient in the case we examine. 

■ One could look at capacity constraints on the part of the agents. 
For example, each agent could put in only one unit of effort. Sim- 
ilarly, one could look at increasing marginal cost of effort. 

■ Imperfect information adds additional phenomena. For example, 
[Flermalin, 1998] shows that in a model with uncertainty about 
payoffs, an agent may choose to move first in order to demonstrate 
to the other agent that a particular choice is worthwhile. Hence 
“leadership” plays a role of signaling to the other agents. 

■ [M. and Sandler, 2001] examines how results change when a con- 
tribution game’s structure moves in the direction of best shot or 
weakest link. This sort of partial comparative statics exercise could 
be of interest in our context as well. 

■ One could examine situations where there were communication 
costs among the cooperating agents, a la team theory. If, for ex- 
ample, there is imperfect information about what others are doing, 
it might lead to less free riding. 
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The provision of computer security in a networked environ- 
ment creates externalities and is subject to market failures. 

The Internet and the larger information infrastructure are not secure 
(e.g., [National Research Council, 1996]). Well known vulnerabilities 
continue to be exploited long after patches are available. Today too 
many organizations discover security the day after intruders, interested 
in attracting attention, have rewritten their Web pages. The recent 
spread of the increasingly potent viruses clearly illustrates that hackers 
provide ubiquitous testing of Internet security and find it wanting. 

Policies can encourage or prevent the adoption of secure computing. 
For example, the controls on the export of cryptography have played a 
significant role in weakening cryptography in general use applications 
in the United States. The prohibition of cryptography in France has 
resulted in a nation with a proliferation of short commercial key lengths. 
Yet while these policies do play a part, they are not responsible for the 
entire situation. We consider the possibility that a major cause of the 
lack of security is that software and hardware prices do not reflect their 
embodied security weaknesses. A supporting observation is that well- 
documented vulnerabilities with free patches continue to exist on the 
Internet, including on sites with financial information and electronic 
transaction capabilities [Farmer, 1999]. 

The provision of security in a networked computer environment cre- 
ates positive externalities. Conversely, underprovision creates negative 
externalities. There are several specific ways in which security, or the 
lack thereof, on one machine can affect security on another machine. 
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Users of an insecure network, product or machine do not face the full 
cost of security violations, and hence the externality. 

Current regulatory and market mechanisms for dealing with network 
security have not provided organizations with sufficient encouragement 
to respond to potential security threats and vulnerabilities, i.e. the 
externalities are not adequately addressed. Multiple possible solutions 
to the underprovision of security are proposed in this text: liability for 
producers, computer security, and the widespread careful application 
of tools of finance and accounting. An alternative solution, one that 
embodies the explicit understanding of security as an externality, is to 
create a market for security whereby those who neglect to secure their 
networks, products, and machines can suffer the consequences according 
to formal pricing mechanisms rather than destructive incidents. 

There are a number of analogies between pricing security externali- 
ties and pricing pollution. First, for there to be production there must 
be some pollution, and for there to be connectivity there must be some 
vulnerabilities. Thus in both cases the there are issues of definition: 
Is it a feature or a bug? Is it a toxic pollutant or a necessary part 
of the product? Answering these questions requires determining the so- 
cially optimal level of either pollution or network security vulnerabilities. 
Economists have long relied on markets to determine the efficient level 
of production. A market coordinates “buyers and sellers’’ of a product. 
In other words, those who benefit from more pollution can pay others 
who want less for the right to pollute. Alternatively, those who want 
less pollution or vulnerabilities can pay others not to pollute or not to 
ignore vulnerabilities. 

Over the past ten years, a national market for trading permits to emit 
sulfur dioxide has developed as well as several regional US markets for 
other pollutants. Market-based approaches to pricing greenhouse gas 
emissions were discussed as part of the Kyoto Protocol. We draw on the 
lessons learned from the new markets for pollution to consider the issues 
raised for a market in network security. 

The rest of the paper proceeds as follows. After briefly describing 
general characteristics of externalities, we describe the externality com- 
ponents of security. We review the strategies currently used to increase 
network security and note these are not sufficient. We discuss multiple 
security taxonomies, and draw upon, these to develop the definition of 
a vulnerability necessary for creating a market for vulnerabilities as a 
commodity. We note the future work necessary to develop a function- 
ing market for security vulnerabilities and close with some thoughts the 
value of the insight of security as an externality. 

1. Security as an externality 

Economists define externalities as instances where an individual or 
firm’s actions have economic consequences for others for which there 
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is no compensation. Externalities can be either positive or negative. 
Pollution is the classic example of a negative externality. For example, 
a local plant owner may not fully internalize the costs the pollution from 
his plant inflicts on nearby homeowners. The plant owner will produce 
pollution until the costs to him outweigh the benefits. If homeowners 
could pay the plant owner not to pollute or if they could extract payment 
from the plant owner for every ounce of pollution, the owner’s cost of 
polluting would go up (in the former case, his benefits from not polluting 
would go up) so there would be less pollution. 

Examples of positive externalities are most common in networks, such 
as communication networks. For instance, the simple act of installing 
telephone service to an additional customer creates positive externalities 
on everyone on the telephone network because they can use the telephone 
to reach one additional person. Externalities created by a network or 
group of consumers whose choices affect one another are called “network 
externalities.” A recent literature has explored the implications network 
externalities have for firms competing to provide products that generate 
them ([Shapiro, Carl and Hal Varian, 1999] provides a non-technical 
survey of the issues associated with network effects). Coordination on a 
standard is a classic example. 

Another example of a positive externality with useful analogies to 
computer security is automotive security. When Lojack, the auto theft 
response system, is introduced in a city, auto theft in general goes down 
because Lojack is designed so that thieves can’t tell whether or not 
Lojack is installed in a specific car [Ayres and Levitt, 1998]. In other 
words, people who buy Lojack are providing positive externalities to 
other car owners in the city. 

The most basic conclusion economists draw about externalities is that 
absent government intervention or other mechanisms to internalize ex- 
ternalities, negative externalities are over-provided and positive exter- 
nalities are under-provided. There are also several corollaries to the basic 
conclusion. For instance, products that generate negative externalities 
will be under-priced. Also, the incentives to invest in technologies that 
will reduce negative externalities (e.g. incentives to invest in environ- 
mentally friendly production processes) will be insufficient. 

Several attributes of computer security suggest that it is an external- 
ity. Most importantly, the lack of security on one machine can cause 
adverse effects on another. There are three common ways in which secu- 
rity from one system harms another: shared trust, increased resources, 
and the ability for the attacker to confuse the trail. Shared trust is a 
problem when a system is trusted by another, so the subversion of one 
machine allows the subversion of another. (Unix machines have lists of 
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trusted machines in .rhosts files). A second less obvious shared trust 
problem is when a user keeps on one machine his or her password and 
account information for another. The use of cookies to save passwords 
(as well as the status of a transaction, i.e. state) has made this practice 
extremely common. 

The second issue, increased resources, refers to the fact that attackers 
can increase resources for attacks by subverting multiple machines. This 
is most obviously useful in brute force attacks, for example in decryp- 
tion or in a denial of service attack. Using multiple machines makes 
denial of service attacks easier to implement, since such attacks may 
depend on overwhelming the target machine. Multiple machines can 
simplify attacks on password files, or enable cryptographic brute force 
attacks by searching for solution in parallel. A commonly used massively 
parallel search now is the SETI screen saver (http://www.seti.org/ 
setiathome.html). In a vein more immediately relevant to this work, 
parallelism has been essential in the successful attempts at the RSA 
factoring challenge (http://www.rsa.com/rsalabs/html/factoring. 
html). The SoBig virus family has been used to create a massively 
parallel system of subverted machine for sending spam; and infected 
machines are used by criminals who steal information from misdirected 
users through phishing. 

Third, subverting multiple machines makes it difficult to trace an 
attack from its source. When taking a circuitous route an attacker can 
hide his or her tracks in the adulterated log files of multiple machines. 
Clearly this allows the attacker to remain hidden from law enforcement 
and continue to launch attacks. The third may be the most important 
as it greatly reduces fear of detection and therefore mitigates the effects 
of both law enforcement and enforcement of social norms. 

The last two points suggest that costs to hackers fall with the number 
of machines (and so the difference between the benefits of hacking and 
the costs increases), similar to the way in which benefits to phone users 
increase with the number of other phones on the network. 

Security breaches also may impact users’ willingness to transact over 
the network. For instance, consumers may be less willing to use the 
Internet for e-commerce if they hear of incidents of credit card theft. 
This is a rational response if there is no way for consumers to distinguish 
security levels of different sites. 

Because security is an externality, software and hardware prices do not 
reflect the possibility of and the extent of the damages from associated 
security failures. 

Simply identifying the externalities associated with security is not 
enough. Many market failures are recognized and continue to persist in 
the economy simply because the losses associated with them are much 
smaller than the costs associated with redressing the failure. (The costs 
of redress could take many forms, for instance, loss of personal freedom, 




Pricing Security 



21 



transaction costs, bureaucratic overhead necessary for enforcement, etc.) 
Before discussing ways to address the fact that security is an externality, 
it is important to think about the likely economic losses caused by this 
market failure. 

Unfortunately, very little information exists that could help us quan- 
tify the externalities, but we will discuss various categories of losses and 
suggest possible orders of magnitude as a starting point. It is useful 
to distinguish between losses that are directly tied to one incident (e.g. 
when a given site is hacked using resources from insecure machines, there 
are costs associated with lost productivity and administrative costs nec- 
essary to get the site back up) and losses that are more indirect (e.g. 
users losing faith in the security of the network). 

On the direct costs, there is information on incidents, for instance, by 
year in the US, but even counts of the number of incidents vary by orders 
of magnitude [Howard, 1997], There have been no attempts to assign 
economic losses to incidents, even in terms of recording the number of 
hours a system was down. 

There is some aggregate-level information on how much companies 
are currently spending on network security (e.g. Forrester, 1999). One 
way of evaluating the extent to which companies are under-spending 
would involve figuring out whether companies that are spending a lot 
on security are the same ones that are likely to inflict significant harm 
on others if their security is lax. For instance, if firms with greater 
processing and network capabilities invest more than firms with less 
capacity but also pose a greater potential threat (since hackers can use 
their machines to stage an attack). If, however, the magnitudes of the 
individual losses were not proportional to the losses inflicted on the 
rest of the economy, we would have additional evidence that security 
externalities are significant. 

One potential source of information on indirect costs would be surveys 
about, for instance, whether people are more reluctant to use credit cards 
on the Internet after they have heard about security violations. 

Externalities and public goods are often discussed in the same sec- 
tions of economics textbooks. Both identify similar categories of market 
failures. A common example of a public good is national security, and 
it might be tempting to analogize national security and computer secu- 
rity. That would be misguided. National security, and public goods in 
general, are generally single, indivisible goods. (A pure public good is 
something which is both non-rival - my use of it doesn’t affect yours - 
and non-excludable - once the good is produced, it is hard to exclude 
people from using it.) Computer security, by comparison, is the sum of 
a number of individual firms’ or peoples’ decisions. It is important to 
distinguish computer security from national security (i.e. externalities 
from public goods) because the solutions to public goods problem and to 
externalities differ. The government usually handles the production of 
public goods, whereas there are a number of examples where simple in- 
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terventions by the government have created a more efficient market such 
that trades between private economic parties better reflect the presence 
of externalities. 

A better analogy for computer security is pollution, and a number 
of market-based approaches have recently been implemented to help 
achieve a more efficient level of pollution abatement. We consider the 
newly-created markets for pollution more extensively in the sections that 
follow. 

2. Existing measures 

In this section we identify some common ways for addressing external- 
ities, and discuss the extent to which each solution has been successfully 
implemented in the case of computer security. 

There are several ways in which a government body can address exter- 
nalities: command and control regulation, information provision, stan- 
dard setting, support for the market and governmental provision of the 
good, either directly or indirectly through subsidies. In this section we 
discuss various ongoing attempts to address the issue of network security. 
Although none of these are explicitly motivated by security externalities, 
they all address the concern that computer security is not adequately 
provided by the market. 

Information provision 

Several federally funded projects have also explored the need for secu- 
rity on the Internet, including The President’s Commission on Critical 
Infrastructure Protection [Critical Foundations, 1997] and The National 
Academy CRISIS and Trust studies [Computer Science and Telecommu- 
nications Board, 1999]. 

The President’s Commission on Critical Infrastructure Protection (PC- 
CIP) [Critical Foundations, 1997] has focused on information sharing. 
The proposals in the PCCIP report to share information include a sug- 
gested exemption from the Freedom of Information Act. The PCCIP 
also proposes that a select group of public and private organizations 
cooperate and share information on vulnerabilities. Information on the 
vulnerabilities, which might serve many computer users, would be held 
tightly by the select members of this information-sharing organization. 
Thus, the few selected players would have greater information but the 
majority of computer users would not only obtain no additional infor- 
mation but would also be barred from seeking Federal information. 

The set of proposals in the PCCIP report for best practices is rea- 
sonable for a corporate intranet but ill-suited to small businesses, home 
users, or electronic commerce sites. For example, authenticating every 
user is not appropriate for browsing customers. Small businesses may 
be unable to conduct security training for every employee, and certainly 
cannot establish in-house incident response teams. The PCCIP views 
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the critical elements of the infrastructure as being large intranets, and 
does not address the many home users, small businesses, academics, and 
hobbyists. 

The Federal Government also encourages the dissemination of infor- 
mation about security breaches by subsidizing incident response teams 
and computer security research and in its standard setting process. All 
of these are discussed in the sub-sections that follow. 

Setting standards 

The National Institute of Standards sets cryptographic standards. 
The adoption rate of particular Federal Information Processing Stan- 
dards (FIPS) has varied dramatically. The Data Encryption Standard 
(DES) as described in FIPS 46 [National Bureau of Standards, 1977] 
has been widely implemented. DES is the most widely used encryption 
algorithm in the world. Alternatively the “Clipper” standard, [National 
Institute of Standards and Technology, 1994] has been subject to wide 
objections and rarely used. 

To set a standard is to provide information. Selected standards are 
examined by the Federal Government and pronounced trustworthy. The 
original Clipper FIPS was the first information processing standard 
based on a classified algorithm. Thus it provided limited information. 
DES was developed with IBM with the result being an open standard. 
The Advanced Encryption Standard, to replace DES, was chosen in an 
international open competitive process. The competitors to the final 
winning algorithm were examined, with each finalist being a contribu- 
tion to the larger cryptographic community. Information provision and 
market coordination in terms of standards-setting has improved network 
security, but has not proven adequate to address all security vulnerabil- 
ities. 

Another form of standard setting is classification. The Department 
of Defense began a decade-long experiment in classifying trustworthy 
components in 1985. The original proposal was for classifying machine, 
and commonly called the Orange Book. The Orange Book was followed 
by a series of books, the Rainbow Series, which defined best practice 
and classifications for distributed databases, file systems, and other net- 
works. The networks are to be classified by existence of features (e.g. 
use of passwords), design, and implementation methodology. Together 
these factors are assumed to illustrate the overall level of security [De- 
partment of Defense, 1985]. Although this taxonomy is widely taught in 
introductory computer security classes for the concepts that it embodies, 
this effort has arguably failed. There are no major computer systems 
marketed with a Department of Defense rating. 

The National Security Agency has developed a Linux implementation 
that has been optimized for security, with a set of possible security poli- 
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cies that can be implemented using the free, downloadable Linux. This 
is both a standard and a subsidy. 

The ideals of computer security embodied in the Department of De- 
fense Rainbow Series continues to be popular, with systems built logi- 
cally from a trusted computing base. However the ratings themselves 
and the mechanisms are widely ignored by the market. 

Subsidies 

The government subsidizes the provision of information security in 
three ways: support for incident response teams, purchase of secure 
technologies, and support for research in computer security. 

A clear subsidy of computer security is the provision of incident re- 
sponse teams. Incident response teams assist in detecting, preventing, 
defeating, and recovering from attacks on computer systems. Incident 
response teams provide service free or at subsidized rates. The Federal 
Government funds the Computer Incident Advisory Capability or CIAC 
(http://ciac.llnl.gov/) through the Department of Energy. 

The Computer Emergency Response Team/Coordinating Center was 
initially a fully federally funded operation. CERT/CC continues to com- 
pete for federal research funds, and the organization’s stated long term 
goal is to be self-supporting. Despite the reputedly high quality of ser- 
vices and strong confidentiality CERT/CC has not yet met this goal. 
The confidentially provided CERT clients is important to clients who 
would not have their customers, users, or shareholders aware of the 
breach of security so that there is no corresponding loss of trust. The 
National Science Foundation has a bi-annual call for proposals on cy- 
bertrust. 

Military investment in computer security is difficult to judge, as much 
of it is classified, but it undeniably dwarfs the NSF investment. 

The government also provides a market for computer security tech- 
nologies. In particular, the Department of Defense and the Department 
of Energy both are large purchasers of computer security technology. 
In addition federally funded R&D centers (e.g. MITRE and RAND) 
and DoD contractors and suppliers provide products to the market for 
cutting-edge security technologies. 

Arguably the government support for research in computer security 
reflects the fact that research is an externality. Computer security can 
also be seen as a subcategory of national defense, which is a classic public 
good. Regardless, research support for computer security has proven 
more effective in finding weaknesses and resulting responses, and less 
successful in disseminating the results in terms of widespread adoption 
of optimal security practices. 
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3. Defining the good 

The first step of creating a market is to define the good. In order for 
a market to function it must be targeted on a definable, discrete good. 
In the case of computer security, we need to decide whether we want to 
encourage the provision of more security or the provision of fewer vul- 
nerabilities. An increase in security can involve changes in institutional 
practices, upgrading platforms, increasing training, removing or adding 
services, or the removal of vulnerabilities. 

In the next section we evaluate a few security taxonomies to deter- 
mine if there is a need for a new taxonomy when many useful ones 
are extant. While reviewing this keep in mind that a vulnerability is 
a flaw which could allow unauthorized access or use. Almost by defini- 
tion, vulnerabilities are not known until they are exploited. A feature 
may be considered a vulnerability as soon as its misuse is illustrated. 
If an organization wants to keep a feature active despite potential for 
misuse without following good security practice, we propose that this 
organization face the social cost to the system that such a desire im- 
poses. Simply requiring “no vulnerabilities” is a command and control 
regulatory solution that is certain to fail. 

Characterizing the good: classifying computer 
security failures 

Because of the difficulty identifying a vulnerability ex ante, it is use- 
ful to think about using a taxonomy to price security failures. Goods 
within a certain category would be interchangeable and new vulnerabil- 
ities would be assigned to a category once identified. In the context of 
pollution, characterizing the good is somewhat easier, since a ton of sul- 
fur dioxide is identifiable as such. Nonetheless, the creators of pollution 
markets needed to think about which existing and prospective polluters 
would be in the market. For instance, internal combustion engines in 
vehicles emit small amounts of sulfur dioxide, yet car owners are not 
required to purchase pollution permits. 

Any taxonomy used to price security failures should be deterministic 
and complete. No security failure should be left unclassified and no 
security failure should fall into more than one classification. Given this 
fundamental limitation we now review security taxonomies developed by 
experts in the field. 

An early work on systems [Amoroso, 1994] argued that in addition 
to being complete and exclusive taxonomies should also be unambigu- 




26 



THE ECONOMICS OF INFORMATION SECURITY 



ous, repeatable, acceptable, and useful. Consider how this applies to 
classifying only vulnerabilities for the purpose of pricing. 

First it is most important that the mechanism be mutually exclusive. 
Any vulnerability must fit into only class in order to be defined. The 
price must in part be determined by the classification; therefore the 
classification must also be unambiguous. 

A taxonomy of computer security need not be exhaustive for our in- 
terests. In particular viruses and worms are not of interest in terms 
of classification. Malicious actions are not the point of interest here. 
Rather the effort to price vulnerabilities would remove vulnerabilities 
from the network, thereby curbing widespread diffusion of viruses and 
worms. 

Clearly the classification system must be repeatable to be unambigu- 
ous. However, once a vulnerability is classified there is no need to do so 
twice. Therefore this condition is less strenuous in this case than in the 
case of analysis of incidents. 

All classifications would meet the last criteria: acceptability and use- 
fulness. According to [Amoroso. 1994], an acceptable taxonomy is logical 
and intuitive so that the taxonomy might be widely adopted. 

A taxonomy is also defined as “useful” by Amoroso if it provides 
insight into computer security. However, insight into computer security 
for the purposes of computer security research per se is not our point 
of interest here. Thus we will discard that requirement as inappropriate 
for this particular case. 

Now consider various security taxonomies. 

The most basic classification scheme for security is the original se- 
curity classification scheme of top secret, secret, and sensitive. This 
security classification applies to the files that are the subjects of com- 
puter security. That is, this classification is based on the material to be 
protected rather than the mechanisms used for protection. Our entire 
focus is on the mechanisms for protection so this classification method, 
and others based upon classification of documents according to content, 
are not useful. 

Consider three attempts to classify security failures, [Aslam, Krsul, 
and Spafford, 1996], [Landwehr, Bull, McDermott and Choi, 1994], 
[Howard, 1997], How applicable are these attempts to pricing? 

In his analysis of security incidents on the Internet, Howard focuses 
exclusively on incidents. An incident is an attack or series of attacks 
using the same set of tools by a single set of attackers. An attack may 
begin with a single subverted account and expand to multiple subverted 
sites over time. Howard focuses upon the exploitation of vulnerabilities 
rather than the existence of vulnerabilities. This analysis places empha- 
sis on issues of results of attacks and motivations of attackers. Since our 
work focuses on extant but not necessarily exploited vulnerabilities, any 
work which focuses on motivation is inappropriate. Clearly the attack 
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is exactly what this work on pricing vulnerabilities would prevent. Thus 
while complete and unambiguous the taxonomy addresses variables that 
are not useful for this work. 

Motivation is also the reason that the work by Landwehr et al. does 
not apply. He focuses on genesis, time of introduction, and location. 
Time of introduction and location are of interest. Landwehr’ s work is 
not applicable because of its inclusion of malicious code. His work was 
reproducible, but not generalizable. In this work we are not interested 
in the actively malicious attacks, which are the proper realm of law or 
national security, but of all extant vulnerabilities, which we argue in the 
previous section is reasonably within the realm of economics. 

The work of Aslam, Krsul, and Spafford was an effort to classify 
security weaknesses and thus is the closet in spirit to this effort. There 
are four basic types of faults in Spafford’ s classification. 

Synchronization faults and condition validation errors are classified as 
coding faults. Coding faults are faults which are included in the code. 
These result from errors in software construction. 

Configuration errors and environmental faults are subcategories of 
emergent faults. Emergent faults can occur when the software performs 
to specification but the result, when installed in specific environment, is 
still a security vulnerability. 

Defining the good: a vulnerability 

We propose that this good, or item which will have a (negative) value, 
is a vulnerability. The market can then determine the exchange rates of 
different types of vulnerabilities. 

Some vulnerabilities have already been priced because they have been 
exploited and the destructive use of the vulnerability has placed a cost on 
the institution subject to the loss. However, the externalities discussed 
above (shared trust, additional resources and preventing detection) have 
not been included in this price, and so it is too low. 

Another issues is determining what a vulnerability is. We need to 
distinguish desirable features from vulnerabilities. In order to price vul- 
nerabilities one must classify them. Before classification must come defi- 
nition. A formal definition from computer security is that a vulnerability 
is an error which enables unauthorized access. This definition does not 
clarify the issue of feature versus vulnerability. An error may be an er- 
ror in judgement and this definition would still hold. Thus we offer the 
following. 

A vulnerability can be defined as follows: 

■ A technical flaw allowing unauthorized access or use 

■ Where the relationship between the flaw and access allowed is clear 

■ Which has been documented to have been used to subvert a ma- 
chine 
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For example, the ability to send and receive email can be used for 
social engineering to obtain passwords. Using email to obtain passwords 
has been documented to be a useful attack. There is no correcting code 
or technical procedure available to end social engineering. Social engi- 
neering is not inherently a technical problem. The sending and receiving 
of email may be an error in judgement - one can forbid email from pass- 
ing through firewalls. Yet the relationship between sending email and 
obtaining unauthorized access is not clear. Is it allowing passwords to 
be transmitted? Is it allowing bad judgement? How is this a technical 
flaw? The option of allowing email to be sent and received in an orga- 
nization is too broad to fit under our more constrained definition. In 
other words, social engineering is not a vulnerability because it fails the 
first bullet point. 

A vulnerability could be defined as actionable after it had been posted 
for some number of days by at least two incident response teams or 
some days after it has been used to subvert a system. Since some IRTs 
do not post until a patch is available this would give vendors limited 
veto power over vulnerabilities. Thus the adoption of the market would 
require that the existence of the vulnerability be posted immediately, 
thought certainly not the attack code. 

4. Allocating property rights 

In an article for which he later won the Nobel Prize, R.H. Coase 
proposed that an efficient production of goods usually associated with 
externalities could be achieved if all parties (e.g. the polluters and those 
harmed by pollution) could get together to make arrangements to in- 
ternalize the externalities [Coase, I960]. Coase argued that it did not 
matter who had the property rights if transactions costs were sufficiently 
low. In other words, the allocation of property rights and determination 
of direction of payment does not matter. The Coase Theorem argues 
that if transactions costs are high then the allocation of the property 
rights and the law seriously affect the equilibrium. 

For the purpose of pricing vulnerabilities to increase security, rights 
could be assigned in one of two ways. First, computer owners and op- 
erators could be charged for having vulnerabilities and coders could be 
charged for creating them. Second, users of the network could pay oth- 
ers not to use software or engage in practices with known vulnerabilities. 
The second option would give users heavy incentives to employ vulnera- 
bilities in order to be paid not to use them. We focus on the first option, 
which allocates the right to a network with less vulnerability to all users 
and requires those that want to use vulnerabilities to buy that right. 

This raises a second issue: who, exactly, should be required to buy the 
right? One could imagine charging coders for developing software with 
vulnerabilities. In the case of shrink-wrapped software charging coders 
could be effective, except perhaps in cases where the software firm ceased 




Pricing Security 



29 



to exist, e.g. had gone into bankruptcy, by the time the vulnerability 
is identified. However, in the critical arena of freeware, shareware, free 
software and other downloaded software, tracking down the author “re- 
sponsible” for the vulnerability would involve high transactions costs. 

The second alternative, and our preferred, is to allocate certain initial 
properties, i.e. a set of vulnerability permits, to every machine, (client, 
server regardless). In the sulfur dioxide emissions market, initial “al- 
lowances” (which gave the right to pollute a ton of sulfur dioxide) were 
allocated to each plant based loosely on the total output of the plant. 

With vulnerabilities a comparable approach can be used, by provid- 
ing vulnerability permits appropriately to each entity using machines, 
although there are many possible ways to define distinguishing the enti- 
ties and set their permit level. Here we offer only an alternative. Note 
that the division of pollution allowances under the Clean Air Amend- 
ments was highly political [Schmalensee, R., Joskow, L., Ellerman, A.D., 
Montero, J.P., and Bailey, E. M., 1998], yet the resulting market still 
functions. 

There are many variables that can be used to determine how many 
‘machines’ are run by an entity (we will discuss what we mean by an 
entity below, but think of, for instance, a company, university or house- 
hold). Counting boxes is not a particularly clever approach since boxes 
have different numbers of processors and different processing power. One 
web site may have a small fraction of a server, or tens of servers accessing 
heavy backend hardware. 

Counting processing power may then appear reasonable; however, 
clearly a video processor inserted into a 386 does not make the ma- 
chine the equivalent of two Pentium III class machines. There is at 
least a common and recognizable metric in processing power that would 
recognize that supercomputers are not equivalent to aging dedicated 
printer servers. Thus we would advocate considering processing power 
regardless of platform. Notice that this treats implementation and cod- 
ing errors as equivalent. The hope is that producers of code with well- 
documented vulnerabilities would see a correcting market response when 
their code was identified as having many vulnerabilities. 

Now having defined ‘machines’ we consider ‘entities’. Defining the 
distinction between home and work, production and consumption is not 
trivial with information networks. 

Without having home users as part of the market the ability of users to 
respond to security failures in the computer market as a whole will suffer. 
By including home users, a successful market for effectively blackmailing 
users who do not know how to alter their machines will be created. How- 
ever, we believe that an equivalent market for upgrading home machines 
would then arise. 

Consider again our decision to focus on machines instead of coders. 
In the pollution context, the total amount of pollution generated by 
industrial processes is a function both of how polluting the technology 
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used by a given plant is and how much output each plant produces. 
Pollution levels can be lowered both by giving consumers incentives to 
purchase products from clean plants and by encouraging plant owners 
to clean up their plants. Some policies, such as a tax on pollution in 
a competitive industry, can have both effects. Similarly, with coding, 
forcing machine owners to acquire more vulnerability permits from the 
market when they install certain software would create incentives for 
both those installing the software and those creating it. Assigning the 
number of vulnerability permits needed for each software product would 
require some sort of oversight board. 

Setting the number of vulnerability permits 

The market price for vulnerabilities permits should reflect two fac- 
tors: the expected severity of damage from vulnerabilities and costs of 
correcting or working around the vulnerability (e.g. the cost of doing 
without a particular feature). The first set of factors reflects the demand 
for reduced vulnerabilities and the second set the cost of supplying vul- 
nerability reductions. 

In creating a market for an externality, the government must decide 
how many permits to create and so think about where the appropri- 
ate balance between addressing the externality and hindering economic 
growth lies. For instance, in choosing the number of sulfur dioxide al- 
lowances to issue, the government could have issued so few that power 
plants that needed them would have bid their price up quite high and a 
number of coal power plants would have been forced to shutdown rather 
than purchase expensive permits or install pollution control equipment. 
On the other hand, if the government created a very large number of 
permits, for instance, more than enough to cover the existing power 
plant emission, the market would have had no effect on pollution. In 
fact, the government did something in the middle and issued enough so 
that some power plants have taken steps to reduce their sulfur dioxide 
emissions. 

Note that to make a computer perfectly secure it may be necessary, in 
theory, to disconnect from the network. Thus, just as it must be feasible 
to continue polluting for production purposes it must be reasonable to 
continue connectivity despite security vulnerabilities. The government 
needs to create few enough vulnerability permits to discourage tolerance 
of known vulnerabilities but not so few as to discourage connectivity. 
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Consider the factors entering this tradeoff for computer security. The 
expected severity of damages from a given vulnerability is a function of 
several things, including the chance that a vulnerability will be exploited, 
the damage likely given that the vulnerability was exploited, and the 
increased risk of other machines given that the particular machine was 
subverted. We have incomplete information on each of these factors. 

To determine risk of exploitation would require data that are currently 
unavailable and unlikely ever to be available. Not only are specific risks 
to specific machines unknown, there are not public data on the overall 
pattern of use of vulnerabilities. The validity of extant proprietary data 
is unknown. Not only can the risk not be known in the specific it cannot 
be known in the aggregate. One cannot measure ambient crackers in 
the way one might measure ambient air quality and then extrapolate to 
cancer risk. 

The losses on the exploited machine ideally reflect the investment of 
the owner of the machine in security. These losses are suffered by the 
same party that failed to secure the machine, thus are not at issue. 

The increased risk to other machines is a function of the connectivity 
and the processing power of the machine. The connectivity is a function 
of the topology of the Internet, and so varies based on the location of 
the machine. By treating all vulnerabilities as identical, we are ignoring 
this topology, although, in principle, separate types of permits could 
be created based on the location of the machine. For instance, there 
could be non-interchangeable “major” permits and “minor” permits. An 
owner of a machine with a high degree of connectivity (e.g., a T3 ISP 
versus a DSL home user) would need to purchase a major permit and 
an owner of a machine with a low degree of connectivity would need to 
purchase a minor permit. The government could then issue more minor 
permits than major permits to reflect the higher cost of vulnerabilities 
on well-connected machines. 

We could create more than two permit subclasses, but the problem 
with creating too many is that the markets for the individual types of 
permits then become illiquid. These issues are being confronted in dereg- 
ulated electricity markets, where the tradeoffs between a liquid market 
for a good with abroad geographic definition (e.g. electricity in Northern 
California) and an illiquid market for many geographically specific goods, 
such that the price reflects all of the interactions on the interconnected 
electric grid (e.g. electricity at the Humboldt substation in Northern 
California) are being evaluated. In the extreme, the government could 
create as many permit subclasses as there are Internet connections, but 
this would amount to regulating individual vulnerability levels and there 
would be no market. Also, the topology of the Internet is not mapped. 
Thus this element of price would be highly uncertain and establishing 
the correct number of permits would be problematic. 
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Jump starting trading 

For a market to allocate goods to those who value them the most, 
there must be active trading for the good. Creating permits is effectively 
creating a new good. In the case of pollution permits, building a liquid 
market has proven possible but not trivial [Schmalensee, R., Joskow, 
L., Ellerman, A.D., Montero, J.P., and Bailey, E. M., 1998]. There are 
several factors that can encourage trading in the new good. 

First, potential buyers of a permit want to know that a seller in fact 
has a valid permit to offer. For instance, one could imagine creating 
physical (e.g. paper) permit “certificates,” but, particularly if permits 
become valuable, there is a strong potential that forgeries will enter cir- 
culation. If the number of permits is small enough, the government, 
or some other officially sanctioned organization (one could imagine the 
Internet Corporation for the Assignment of Names and Numbers, now 
in charge of assigning IP addresses and coordinating assignment of do- 
main names, performing this role), could track and validate all existing 
permits. 

Second, there needs to be monitoring of and sanctions for un-permitted 
vulnerabilities. Otherwise, potential buyers will have little incentive to 
go to the market to cover their vulnerabilities. A straightforward sanc- 
tion is a fine, set to exceed the expected permit price. Monitoring for 
vulnerabilities is more difficult. One solution could be to set up a sort of 
citizens’ militia, and reward finder of a vulnerability. Also, parties that 
are awarded a lot of permits at the outset will have incentives to find 
vulnerabilities because it will increase the value of their permit. 

With some amount of oversight and enforcement, entities in need of 
permits will be in search of potential sellers of them. At this point, pri- 
vate firms are likely to step in to help create a market. These market 
makers serve to bring buyers and sellers together, help publicize infor- 
mation about the market (e.g. by broadcasting market indices) and they 
often evaluate the credit-worthiness of potential buyers and sellers. For 
instance, Cantor Fitzgerald has an active brokerage service for environ- 
mental permits. They provide advice to potential buyers and sellers, help 
them structuring deals, and allow them to execute anonymous trades. 
Alternatively, if market-specific services are of little value, trades could 
occur at a place like e-Bay. 

5. Conclusions 

Security is an externality, with vulnerabilities over-produced and se- 
cure system under-provisioned. There are a set of strategies currently 
in use to increase the provision of network security; however these have 
proven inadequate. Developing a market for vulnerabilities would ad- 
dress the chronic underprovision of security. A mechanism for creating 
a market for security vulnerabilities based on vulnerability permit is one 
possible solution. We have provided a broad overview of what a market 
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for vulnerability permits might look like. Obviously, many other issues 
would need to be addressed to create such a market, but in practice, as 
in our paper, the experience setting up environmental permit markets 
would be relevant. 

Trading environmental externalities market has been proposed for 
global market; however, the observations in this paper could be read- 
ily applied to individual institutions. Understanding security as en ex- 
ternality can inform charging mechanisms where no department would 
experience securing their networks as a cost center. Alternatively an 
internal market could be developed by a firm to encourage managers 
to invest in mitigating vulnerabilities in their own networks or penalize 
those who fail to do so. 

In theory a market mechanism can address the continued existence of 
well-documented vulnerabilities. As with any externality, other reme- 
dies exist. The government could mandate insurance coverage for secu- 
rity infractions and leave it to potential insurers to aggregate some of 
the security externalities. The government could set liability for failing 
to meet minimal security standards. Taxes could sanction owners of ma- 
chines with exposed vulnerabilities. These other potential remedies, and 
the overall cost of the under-provision of security, are described in the 
chapters in this text. The understanding of security as an externality 
informs much of the following chapters. 
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The most significant strategic development in information 
technology over the past year has been ‘trusted computing 

Customers of the computing and communications industries are get- 
ting increasingly irritated at ever more complex and confusing prices. 
Products and services are sold both singly and in combinations on a great 
variety of different contracts. New technology is making ‘bundling’ and 
‘tying’ strategies ever easier, while IT goods and services markets are 
developing so as to make them ever more attractive to vendors. These 
trends are now starting to raise significant issues in competition policy, 
trade policy, and even environmental policy. 

Ink cartridges for computer printers provide a good example. Printer 
prices are increasingly subsidised by cartridge sales: the combination of 
cheap printers and expensive cartridges enables vendors to target high- 
volume business users and price-sensitive home users with the same prod- 
ucts. The level of cross-subsidy used to be limited by the availability of 
refilled cartridges, and cartridges from third-party aftermarket vendors. 
However, many printer cartridges now come with chips that authenticate 
them to the printer, a practice that started in 1996 with the Xerox N24 
(see [SC2003] for the history of cartridge chips). In a typical system, if 
the printer senses a third-party cartridge, or a refilled cartridge, it may 
silently downgrade from 1200 dpi to 300 dpi, or even refuse to work at 
all. An even more recent development is the use of expiry dates. Car- 
tridges for the HP BusinessJet 2200C expire after being in the printer 
for 30 months, or 4.5 years after manufacture [Inq] - which has led to 
consumer outrage [Slashdot-HP], 

This development is setting up a trade conflict between the USA and 
Europe. Printer maker Lexmark has sued Static Control Components, 
a company making compatible cartridges and components, alleging that 
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their compatible authentication chips breach the Digital Millennium 
Copyright Act [SC-law; Slashdot-SC]. On February 27, 2003, Judge Karl 
Forester ordered Static Control to stop selling cartridges with chips that 
interoperate with Lexmark’s printers pending the outcome of the case. 
“The court has no trouble accepting SCC’s claim that public policy 
generally favors competition,’’ wrote Judge Forester. “The court finds, 
however, that this general principle only favors legitimate competition. 
Public policy certainly does not support copyright infringement and vi- 
olations of the DMCA in the name of competition.” So it would now 
appear that US law protects the right of vendors to use such market 
barrier technologies to tie products and control aftermarkets 1 . 

However, the European Parliament has approved a “Directive on 
waste electrical and electronic equipment” with the opposite effect. It is 
designed to force member states to outlaw, by 2006, the circumvention 
of EU recycling rales by companies who design products with chips to 
ensure that they cannot be recycled [Broersma2002]. The scene looks 
set for yet another trade war between the USA and Europe. Which side 
should economists and computer scientists support? 

Varian argues that tying printers to cartridges may be not too objec- 
tionable from a policy viewpoint [Varian2002]: 

The answer depends on how competitive the markets are. Take the 
inkjet printer market. If cartridges have a high profit margin but the 
market for printers is competitive, competition will push down the price 
of printers to compensate for the high-priced cartridges. Restricting 
after-purchase use makes the monopoly in cartridges stronger (since it 
inhibits refills), but that just makes sellers compete more intensely to 
sell printers, leading to lower prices in that market. This is just the old 
story of “give away the razor and sell the blades.” 

However, tying in other industries may well be: 

But if the industry supplying the products isn't very competitive, then 
controlling after-purchase behavior can be used to extend a monopoly 
from one market to another. The markets for software operating systems 
and for music and video content are highly concentrated, so partnerships 
between these two industries should be viewed with suspicion. Such 
partnerships could easily be used to benefit incumbents and to restrict 
potential entrants. 

In a growing number of industries, technical tying mechanisms based 
on cryptography, or at least on software that is tiresome to reverse en- 
gineer, are being used to control aftermarkets: 

■ Mobile phone manufacturers often earn more money on batteries 
than on the sales of the phones themselves, so have introduced 



1 Since this paper was originally presented at WEIS 2003. SCO has won an appeal. However 
the problems continue; for example, the recent EU IPR Enforcement Directive seems bound 
to increase the abuse of IP rights for aftermarket control 
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authentication chips into the batteries. A mobile phone may refuse 
to recharge an alien battery, and may turn up the RF transmitter 
power to drain it as quickly as possible. In Morotola’s case, battery 
authentication was represented as a customer safety measure when 
it was introduced in 1998 [Mot98]; 

■ Carmakers are using data format lockout to stop their customers 
getting repairs done by independent mechanics. In the case of the 
writer's own car, for example, the local garage can do a perfectly 
adequate 10,000 mile service, but does not have the software to 
turn off the nagging ‘service due’ light on the dashboard. Congress 
is getting upset at such practices [Pickler2002]; 

■ Computer games firms have been using market barrier tricks for 
years. As with printers, the business strategy is to subsidise sales 
of the actual consoles with sales of the cartridges (or more recently, 
CDs) containing the software. Sales of accessories, such as memory 
cards, are also controlled, and there have been lawsuits invoking 
the DMCA against unlicensed accessory vendors. As with print- 
ers, laws are diverging; for example, it is legal to defeat the Sony 
PlayStation’s copy protection and accessory control mechanisms in 
Australia, but not in Canada [Becker2002]. 

Up till now, vendors wanting to introduce barrier technologies to con- 
trol aftermarkets typically had to design them from scratch. It is hard 
to get security designs right first time - especially when the designers 
are new to information security technology - so most early designs were 
easily circumvented [And2001]. The legislative environment is uneven 
and unpredictable, as the above examples show. There are often major 
political issues, especially in industries that are already concentrated and 
exposed to regulation. So there are significant risks and costs associated 
with these barrier technologies, and they are by no means ubiquitous. 

That may be about to change dramatically. The introduction of so- 
called ‘trusted computing’ will make it straightforward for all sorts of 
vendors to tie products to each other, to lock applications and data on 
different platforms, and to tie down licences for the software components 
of systems to particular machines. This is likely to usher in a significant 
change in the way in which many of the information goods and services 
industries do business, and may spill over into may traditional industries 
too. First, we need a brief overview of ‘trusted computing’. (For more 
detail, see the Trusted Computing FAQ at [TCPA-FAQ].) 

1. Trusted Computing 

In June 2002, Microsoft announced Palladium, a version of Windows 
implementing ‘trusted computing’ and due for release in 2004. In this 
context, ‘trusted’ means that software running on a PC can be trusted by 
third parties, who can verify that a program running on a machine with 
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which they are communicating has not been modified by the machine’s 
owner. Programs will also be able to communicate securely with each 
other, and with their authors. This opens up a number of interesting 
new possibilities. 

The obvious application is digital rights management (DRM): Disney 
will be able to sell you DVDs that will decrypt and run on a Palladium 
platform, but which you won’t be able to copy. The music industry will 
be able to sell you music downloads that you won't be able to swap. They 
will be able to sell you CDs that you’ll only be able to play three times, or 
only on your birthday. This will be controversial; other applications will 
be less so. For example, trusted computing platforms can host games 
where cheating is much harder, or auction clients which can be trusted 
to follow a set of agreed rales - which will make it significantly easier to 
design many types of auction [AM2002], 

Palladium built on the work of the Trusted Computing Platform Al- 
liance (TCPA) which included Microsoft, Intel, IBM and HP as founder 
members. The TCPA specification, version 1.0, was published in 2000, 
but attracted little attention at the time. Palladium was claimed to use 
TCPA version 1.1 which supports some extra hardware features, and 
the next generation of Pentium processors from Intel (the ‘LaGrande’ 
series), which offer an extra memory protection mode: the idea is that 
since many existing untrusted applications run with administrator privi- 
lege, that is in ring 0 of the processor, upgrading security without replac- 
ing all these applications requires yet another protected memory mode, 
called ‘curtained memory’, so that small parts of trusted software can 
run with extra privilege that gives them access to cryptographic keys. 
TCPA has recently been formally incorporated and relaunched as the 
‘Trusted Computing Group’ [TCG]. 

The TCPA/TCG specifications set out the interface between the hard- 
ware security component (the ‘Fritz chip’), which monitors what soft- 
ware and hardware are running on a machine, and the rest of the system, 
which includes the higher layers of software and the means by which the 
Fritz chips in different machines communicate with each other. Fritz’s 
role in the ‘trusted’ ecology is to assure third parties that your machine 
is the machine you claim it to be, and that it is running the software 
that you claim it to be. 

Terminology 

There is some difficulty in finding a suitable name for the subject mat- 
ter of this paper. Neither ‘TCPA’ nor ‘Palladium’ will really do. For a 
while, when public criticism of TCPA built up, Microsoft pretended that 
Palladium and TCPA had nothing to do with each other; this pretence 
was then abandoned. But as criticism of Palladium has increased in 
turn, Microsoft renamed it NGSCB, for ‘Next Generation Secure Com- 
puting Base’ [Lettice2002], Presumably this isn’t the final name, and 
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in any case it’s a bit of a mouthful. We might refer to the project as 
'trusted computing’ but that has evoked principled opposition; Richard 
Stallman, for example, prefers ‘treacherous computing’ as the real pur- 
pose of the technology is to remove effective control of a PC from its 
owner. It is thus the opposite of trustworthy [Stallman2002]. 

There is a further twist. In the information security community, the 
words ‘trust’ and ‘trustworthy’ have a more subtle meaning than in com- 
mon parlance. The following example illustrates the difference. If an 
NS A employee is observed in a toilet stall at Baltimore Washington In- 
ternational airport selling key material to a Chinese diplomat, then (as- 
suming his operation was not authorized) we can describe him as ‘trusted 
but not trustworthy’. The proper definition is that a trusted system 
or component is one whose failure can break the security policy, while 
a trustworthy system or component is one that won’t fail [And2001]. 
Since this was pointed out, Microsoft has renamed ‘trusted comput- 
ing’ as ‘trustworthy computing’ [WS2003]. (Intel and IBM stick with 
‘trusted’.) 

I will therefore refer to the subject matter as TC, which the reader can 
pronounce as ‘trustworthy computing’, ‘trusted computing’ or ‘treacher- 
ous computing’, according to taste. Perhaps in time we can arrive at a 
consensus on a more appropriate name (maybe ‘controlled computing’). 

Control and governance 

If the owner of a computer is no longer to be in ultimate control of 
it, then the big question is where the control goes. This is a question 
on which companies involved in TC have expressed different views at 
different times. A straightforward reading of the TCPA 1.0 specification 
suggests that a hierarchy of certification authorities would certify the 
various hardware and software components that could make up a TC 
system. The control would thus be exercised centrally by an industry 
consortium. 

After the launch of Palladium, Microsoft took the public stance that 
there would be no mechanism in Palladium to support such central cer- 
tification, and it would be up to the vendors of TC applications or of 
the content used by them to decide what combinations of hardware and 
operating system software would be acceptable. Thus, in the DRM case, 
it would be Disney - or perhaps Microsoft as the vendor of Media Player 
- who would certify particular platforms as being suitable for rendering 
‘Snow White’. 

Further confusion has been created by the recent launch of Windows 
Server 2003, which contains some of the file locking functions previously 
ascribed to Palladium. A TC machine may therefore need a number of 
different layers of hardware and software to collaborate to provide the TC 
functionality: the curtained-memory CPU, the Fritz chip, the NGSCB 
software, the Windows 2003 (or later) platform, and the application. 
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This has enabled Microsoft to reply to early criticisms of TC saying 
that NGSCB will not do any of the bad things alleged of it; it will not 
censor your data or take away control of your computer. But Microsoft 
admits: ‘It is true that NGSCB functionality can be used by an appli- 
cation (written by anyone) to enforce a policy that is agreed to by a 
user and a provider, including policies related to other software that the 
application can load’ [Manfer2003]. 

So the locus of trust is moved upwards in the stack, but it is not 
eliminated. This may be thought to make the competition policy issues 
less acute, but further reflection suggests that a competitor producing a 
GNU/linux platform running on TCPA hardware, and seeking certifica- 
tion for it, might have to get it approved by a large number of disparate 
content vendors in multiple jurisdictions, rather than simply bringing 
suit against a central certification authority run by an industry consor- 
tium. This does not imply that there will be no ‘TC/linux’ - such a 
product is apparently being worked on by HP and IBM [Erickson2002) 
- but it suggests that the competition between TC platforms may be 
less diverse than TC proponents claim. Even if it were a worthy goal 
to make DRM available on a large variety of platforms, this strategy 
of fragmenting control and making governance either diffuse or opaque 
promises to put up the per-platform entry costs to the point that only 
a small number of popular platforms are ever effectively supported, and 
that consumers will have little or no real choice. 

There is slightly more clarity on the management of policy, by which 
we mean the rules that a particular application will enforce - such as 
tags for commercial CDs saying ‘never copy’ or ‘one backup only’, or 
for broadcast movies saying ‘recording for time-shifted viewing allowed; 
copying not allowed’. The primary policy source will be a server at the 
application vendor, and there will be mechanisms for some policy to be 
devolved to system owners. 

Thus, for example, a TC system used to enforce government-style 
protective markings for classified information may have a central policy 
that information may only move upwards, so that part of a ‘confidential’ 
file could be cut and pasted into a ‘secret’ file but not vice versa; there 
might be a further local policy component that would enable the author 
of a particular classified document to restrict it to a number of named 
individuals, or to prevent it from being forwarded, or to prevent it from 
being printed. 

2. Value to corporate and government users 

Using TC systems to protect classified government information and 
corporate secrets is an interesting application, and one being used to 
promote the TC agenda. “It’s a funny thing,” said Bill Gates. “We 
came at this thinking about music, but then we realized that e-mail and 
documents were far more interesting domains” [Thurrott2002]. 
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Some details about how rights management mechanisms can be ap- 
plied in this way to the control of confidential information, as opposed 
to things like music and video, have been released recently in a Microsoft 
paper on Windows Server 2003 [WS2003]. (This anticipates the release 
of the full TC platform, but a number of the TC features have already 
appeared in early form in other Microsoft products; for example, the 
combination of trusted boot and software copy protection has turned up 
in the Xbox, albeit using primitive mechanisms that were readily cir- 
cumvented [Huang], The early releases of TC component technologies 
can at least give us some idea of likely mature functionality.) 

The new features offered by Windows Server 2003 enable the creator 
of a document or other file to maintain some control over it regardless of 
where it may subsequently move. It will be possible to send an email with 
restrictions, such as that the recipient cannot forward it, or cannot print 
it, or can read it only if she has a ‘secret’ clearance, or that the document 
will only be readable until the end of the month. Apparently the new 
Windows software on each PC emulates the future role of the Fritz chip. 
Windows users who wish to use TC functionality can then register, and 
an online service appears to be involved in deciding whether or not to 
make an appropriate decryption key available to the application. The 
details are not entirely clear at the time of writing. 

Many government systems already have mandatory access controls 
that prevent any person or process reading a classified document unless 
they have an adequate clearance. The implementation of such systems 
is fraught with surprisingly many practical difficulties, described for ex- 
ample in [And2001]. The complexity of the information flows within 
real organisations tends to cause all the information to either float up 
to the highest level of classification, or float down to the lowest level; 
there is a tendency for the number of compartments in which informa- 
tion is held to become either unmanageably large, or so small as to give 
little protection against insiders; most applications have to be rewritten 
to deal with the increased complexity and restricted connectivity; and 
there are consistency problems when High and Low parts of the sys- 
tem acquire different views of the same data. In general, the experience 
of mandatory access control systems is that although they can prevent 
bad things from happening, they prevent even more good things from 
happening, and provide a poor ratio of benefit to cost. The trend in 
government systems nowadays is to use more lightweight mechanisms, 
coupled with procedural controls and disciplinary measures, to achieve 
the desired results, rather than expecting the technology to do all the 
work. 

So it is unclear what value most of the proposed rights management 
mechanisms will bring to corporate and government users. 

A restricted subset of them may well be adopted widely, though. One 
of the selling points of the technology is that a corporation can arrange 
for all internal emails to become unreadable after 90 days. Apparently, 




42 



THE ECONOMICS OF INFORMATION SECURITY 



Microsoft already imposes such a discipline internally. Given the increas- 
ingly aggressive discovery tactics used in litigation, it is maybe rather 
attractive to corporate legal officers to make emails behave like telephone 
calls rather than like letters; whether this is in the public interest is, of 
course, another question. 

Even such a simple application will turn out to be complex to imple- 
ment, because of established policy conflicts. Export laws in many coun- 
tries require companies to preserve copies of communications by which 
software, documentation or know-how on the dual-use list is exported; 
this may mean keeping all relevant emails for three years. Accounting 
regulations may require the preservation of relevant emails for six years. 
One can anticipate widespread tussles between policies mandating de- 
struction, and policies mandating preservation. As with multilevel secu- 
rity policies, it may turn out to be very difficult to implement systems 
so that just the ‘right amount’ of data are preserved. 

3. Value to content owners 

There has been much lobbying by the content industry for stronger 
digital rights management systems, and for stronger legal protection 
for the systems that already exist. The argument is made that digital 
technologies allow free copying, which will destroy content markets. This 
argument is less widely believed nowadays, as the means for copying 
CDs have been widely available for several years with no particularly 
noticeable impact on sales [Lewis2003]. There are many factors from 
which the content industry can take comfort. 

Swapping music informally is not free, because of the time and ef- 
fort required to build social networks; peer-to-peer systems do not solve 
the problem, as they are poor at the critical functions of indexing and 
searching; any organised central index service, such as Napster, can be 
attacked by legal means; and the existing weak DRM mechanisms, such 
as those in Media Player, provide a high enough barrier for a number of 
music subscription services and e-book publishers to flourish. It is not at 
all clear that a much stronger DRM mechanism, such as that promised 
by TC, would provide substantial gains for the content owners over the 
emerging status quo 2 . 

It is argued by DRM proponents that stronger DRM will extend the 
reach of DRM solutions [Erickson2002]. However, many of the benefits 
that have been talked about in this context are unlikely to yield viable 
business models. Enabling music lending, for example - the idea that 
you can lend your copy of a CD to a friend, with your own copy be- 
coming unplayable until you get the main copy back - would enable 



2 Since this paper was first published, a major study has shown that file sharing does not in 
fact have a negative effect on CD sales: see “The Effect of File Sharing on Record Sales - An 
Empiral Analysis”, Felix Oberholzer, Koleman Strumpf, at http://www.unc.edu/~cigar/ 
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people to implement a legal ‘Napster’ in which members’ CD tracks 
were pooled, and were thus used very much more than the twice a year 
that an average CD is played. This seems unlikely to be attractive to 
the music industry. It may well be possible to practice more extreme 
forms of price discrimination if strong DRM is widely fielded. But it 
is unclear that most information businesses will get substantial benefit 
from perfect price discrimination, because of the transaction costs and 
the negative social externalities such as loss of privacy. In practice, the 
ability to differentiate three grades of product at three different prices 
seems to be adequate for most purposes [SV98]. 

There is also a significant risk - that if TC machines become pervasive, 
they can be used by the other side just as easily. Users can create 
‘blacknets’ for swapping prohibited material of various kinds, and it will 
become easier to create peer-to-peer systems like gnutella or mojonation 
but which are very much more resistant to attack by the music industry 
- as only genuine clients will be able to participate. The current methods 
used to attack such systems, involving service denial attacks undertaken 
by Trojanned clients, will not work any more [Schech], So when TC is 
implemented, the law of unintended consequences could well make the 
music industry a victim rather than a beneficiary. 

There is a further risk, in that if Microsoft comes to control the elec- 
tronic distribution of music and video content through a monopoly built 
on Media Player, then this could restrict competition in the content 
industries. For example, a small film producer in a minority language 
might find it even harder than at present to get effective distribution. 
The effects of this could be both economic and cultural. Certainly, many 
of the smaller firms in the content sector may find TC to be at best a 
mixed blessing. 

In any case, if the music industry wants to provide more value for its 
customers, it is not at all clear that TC is a critical component. New and 
useful online services such as those supporting indexing, browsing and 
access to background information seem likely to increase the revenues 
from subscription as opposed to first-sale income, and thus decrease the 
industry’s likely dependence on strong DRM. 

4. Value to hardware vendors 

Experience shows that security mechanisms often favour the interests 
of those who pay for them more than the interests of the customers 
for whose benefit they were putatively developed [And2001]. For exam- 
ple, the introduction of authentication and encryption into GSM mobile 
phones was advertised as giving subscribers greater security compared 
with analogue phones, which were easy to clone and to eavesdrop. How- 
ever, more mature experience shows that the main beneficiaries were the 
phone companies who paid for the security development. 
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With the old analogue phones, people wanting to make free calls, or 
to defraud the system by calling 900 numbers controlled by associates, 
would clone phones, which would generally cost the phone companies 
money. With the GSM system, criminals either buy phones using stolen 
credit cards (dumping the cost on the banks) or, increasingly, use mobile 
phones stolen in street robberies (which cost the customers even more). 
As for privacy, almost all the eavesdropping in the world is performed 
by police and intelligence agencies, who have access to the clear voice 
data on the backbone networks anyway. 

Such experience suggests that we examine the likely effect of TC on 
the business of its promoters. 

In the case of Intel, the incentive for joining TCPA was strategic. As 
Intel owns most of the PC microprocessor market, from which it draws 
most of its profits, it can only grow if the PC market does. Intel has 
therefore developed a research program to support a ‘platform leader- 
ship’ strategy, in which they lead industry efforts to develop technologies 
that will make the PC more useful, such as the PCI bus and USB. Their 
modus operandi is described in [GC2002]: they typically set up a con- 
sortium to share the development of the technology, get the founder 
members put some patents into a pool, publish a standard, get some 
momentum behind it, then license it to the industry on the condition 
that licensees in turn cross-license any interfering patents of their own, 
at zero cost, to all consortium members. 

The positive view of this strategy was that Intel grew the overall 
market for PCs; the dark side was that they prevented any competitor 
achieving a dominant position in any technology that might have threat- 
ened their control of the PC hardware. Thus, Intel could not afford for 
IBM’s microchannel bus to prevail, not just as a competing nexus of the 
PC hardware platform but also because IBM had no interest in provid- 
ing the bandwidth needed for the PC to compete with high-end systems. 
The effect in strategic terms is somewhat similar to the old Roman prac- 
tice of demolishing all dwellings and cutting down all trees close to their 
roads or their castles. This approach has evolved into a highly effective 
way of skirting antitrust law. So far, the authorities do not seem to have 
been worried about such consortia - so long as the standards are open 
and accessible to all companies. The authorities may need to become 
slightly more sophisticated. 

5. Value to software vendors 

The case of Microsoft is perhaps even more interesting than that of 
Intel. In its original form, TCPA had the potential to eliminate unli- 
censed software directly: a trusted platform, reporting to a central au- 
thentication structure, could simply refuse to run unlicensed software. 
The mechanisms currently used to register software could be made very 
much harder to circumvent: the Fritz chip maintains a list of the hard- 
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ware and operating system software components of a TC machine, and 
there is provision for these to be checked against positive and negative 
authorisation lists. The operating system can then perform a similar 
service for application programs. Among early TCPA developers, there 
was an assumption that blacklist mechanisms would extend as far as 
disabling all documents created using a machine whose software licence 
fees weren’t paid. Having strong mechanisms that embedded machine 
identifiers in all files they had created or modified would create huge 
leverage. Following the initial public outcry, Microsoft now denies that 
such blacklist mechanisms will be introduced - at least at the NGSCB 
level [Manfer2003] 3 . 

The Palladium/NGSCB/Win2003 system as now presented relies on 
more subtle mechanisms. Control will not now, we are told, be exerted 
from the bottom up through the TC hardware, but from the top down 
through the TC applications. Walt Disney will be free to decide on 
what terms they will supply content to TC (and other) systems with 
particular configurations of hardware and software; if they decide to 
charge $12.99 for a DVD version of ‘Snow White’, $9.99 for a download 
for TC/Windows using Media Player, but refuse to to provide content 
for TC/linux at all, then Microsoft can claim, to the media and the 
antitrust authorities, that that is their decision rather than Microsoft’s. 

The resulting incentives run very strongly in Microsoft’s favour. Given 
that TC/Windows will certainly be the dominant TC platform, most 
developers will make their products available for this platform first, and 
for others later (if at all) - just as most developers made their products 
available for Windows first and for Mac later (if at all) once it became 
clear that the PC market was tipping in the Wintel direction. 

So the antitrust concern should now focus not on Microsoft’s con- 
trol of Palladium/NGSCB, but rather on its control of the dominant 
applications - Media Player and Office. 

The importance of applications 

In effect, Microsoft is investing in equipping the operating system 
platform (NGSCB and Windows2003+) with TC mechanisms in order 
to reap a reward through higher fee income from its applications. This 
can be direct (such as charging double for Office) or indirect (such as 
taking a percentage on all the content bought through Media Player). 
From the competition viewpoint, everything will hinge on how hard it 
is for other firms to make their applications and their content interwork 
with Microsoft’s applications and content. Where rents can be charged, 



3 It is of course hard to understand how. in the long term, Microsoft will refrain from moving 
against people who pirate its software, given that it can also do so at the Windows level, 
the application level, or through controlling interoperability between licensed and unlicensed 
platforms from the standpoint of licensed platforms. 
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it is in Microsoft’s interest to made this interoperability as difficult as 
possible. 

If popular music subscription services employ Media Player, and Me- 
dia Player eventually requires a TC platform, then subscribers may be 
faced with the need to migrate to a TC platform, or lose access to the 
music they have already stored. Of course, once the use of a TC applica- 
tion becomes widespread, with many users locked in, license compliance 
mechanisms can be implemented that will be about as hard to evade as 
the underlying technology is to break. The business model may then fol- 
low that pioneered by Nintendo and other game console makers, in which 
expensive software subsidises cheap hardware. NGSCB/Palladium will 
then just be a subsidised enabling component, whose real function is to 
maximise revenue from high-price products such as Office, games and 
content rental. 

If some set of mandatory access controls for email become a popular 
corporate application under Windows 2003, and mandatory access con- 
trols eventually require a TC platform, then corporate users may also 
have little choice but to migrate. In fact, they may have even less choice 
than music subscribers. Music fans can always go out and buy new CDs, 
as they did when CDs replaced vinyl; but if many corporate and official 
communications and records come to be protected using cryptographic 
keys that cannot conveniently be extracted from embedded mandatory 
access control mechanisms, then companies may have no choice at all 
but to follow the TC mechanisms that protect and control these keys. 

Switching costs and lock-in 

The role of switching costs in the valuation of information goods and 
services companies has been recognised over the last few years. In in- 
dustries dominated by customer lock-in - such as the software industry 
- the net present value of a company’s customer base is equal to the 
total switching costs involved in their moving to a competitor [SV98]. If 
it were more than this, it would be worth a competitor’s while to bribe 
them away. If it were less, the company could simply put up its prices. 

One effect of TC is to greatly increase the potential for lock-in. Sup- 
pose for example that a company information systems manager wants 
to stop buying Office, and move his staff to OpenOffice running on a 
GNU/Linux platform. At present, he has to bear the costs of retraining 
the staff, the cost of installing the new software, and the cost of con- 
verting the existing archives of files. There will also be ongoing costs of 
occasional incompatibility. At present, economic theory suggests that 
these costs will be roughly equal to the licence fees payable for Office. 

However, with TC, the costs of converting files from Office formats 
to anything else may be hugely increased [Brockmeier2003]. There may 
simply be no procedure or mechanism for export of TC content to a non- 
TC platform, even where this is fully authorised by the content owner. 




Cryptography and Competition Policy 



47 



If the means for such export do exist, they are unlikely to be enough 
on their own if TC mandatory access control mechanisms become at all 
widely used. This is because much of the data in a company’s files may 
come to be marked as belonging to somebody else. 

For example, a law firm may receive confidential client documents 
marked for the attention of a named set of partners only. The law firm 
might feel the need to retain access to these documents for six years, in 
case they had to defend themselves against allegations of malpractice. 
So they would have to get their client’s permission to migrate the docu- 
ment to, say, a TC/linux platform running OpenDRM and OpenOffice. 
A firm of any size will acquire thousands of business relationships, some 
of which go sour; even if the logistics and politics of asking counterpar- 
ties for permission to migrate documents were acceptable, a number of 
the counterparties would almost certainly be uncooperative for various 
reasons. Like it or not, the firm would be locked into maintaining a 
TC/Windows environment as well as the new one 4 . Many similar sce- 
narios can be constructed. 

There are soft effects as well as hard ones. For example, controversy 
surrounding the whole TC initiative can increase uncertainty, which in 
turn can lead businesses and consumers to take the view ‘better the devil 
you know’. The result can be an increase in switching costs beyond 
even that following from the technology. (Old-timers will recall the 
controversies over the ‘fear, uncertainty and doubt' element in IBM’s 
marketing when IBM, rather than Microsoft, ruled the roost.) 

Antitrust issues 

There is thus a clear prospect of TC establishing itself using network 
effects, and of the leading TC application becoming in practice impossi- 
ble for a competitor to challenge once it has become dominant in some 
particular sector. 

This will shed a new light on the familiar arguments in information 
industry antitrust cases. Competition ‘for the market’ has been accepted 
by many economists of the information industries as being just as fair 
as competition ‘within the market’, especially because of the volatile na- 
ture of the industry, and the opportunities created every few years for 
challengers as progress undermines old standards and whole industry 
sectors are reinvented. But if the huge and growing quantities of appli- 
cation data that companies and individuals store can be locked down, 
in ways that make it in practice impossible for the incumbents to be 
challenged directly, this argument will have to be revisited. 



4 In fact, from the professional practice viewpoint, accepting restricted documents seems to 
be very hazardous. For example, what if the named partners with access to the documents 
leave or die? 
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In any case, the commercial incentive for Microsoft is clear. The 
value of their company should be roughly equal to the costs incurred 
- directly or indirectly - if their customers switched to competitors. 
If switching can be made twice as hard, then the value of Microsoft’s 
software business should logically double. 

There are further issues. Varian has already pointed out that TC can 
reduce innovation, by restricting the technical opportunities to mod- 
ify existing products [Varian2002]; things will become even worse once 
application data are locked down. At present, many software startups 
manage to bootstrap themselves by providing extra ways of using the 
existing large pools of application data in popular formats. Once the 
owners of the original applications embrace TC, there will be every in- 
centive for them to charge rentals for access to this data. This looks set 
to favour large firms over small ones, and incumbents over challengers, 
and to stifle innovation generally. 

Other software application vendors will face not just the threat of be- 
ing locked out from access to other vendors’ application data, but also 
the prospect that if they can establish their product and get many cus- 
tomers to use it for their data, they can use the TC mechanisms to lock 
these customers in much more tightly than was ever possible by using 
the old-fashioned mechanisms of proprietary data formats and restrictive 
click-wrap contracts. This will open the prospect of much higher com- 
pany valuations, and so many software vendors will come under strong 
pressure to adopt TC. The bandwagon could become unstoppable 5 . 

Some specific industry sectors may be hard hit. Smartcard vendors, 
for example, face the prospect that many of the applications they had 
dreamt of colonising with their products will instead run on TC plat- 
forms in people’s PCs, PDAs and mobile phones. The information secu- 
rity industry in general faces disruption as many products are migrated 
to TC or abandoned. 

The overall economic effects are likely to include a shift of the playing 
field against small companies and in favour of large ones; a shift against 
market entrants in favour of incumbents; and greater costs and risks 
associated with new business startups. One way of looking at this is 
that the computer and communications industries will become more like 
traditional industry sectors such as cars or pharmaceuticals. This may 
turn out to be a decidedly mixed blessing. 

6. Conclusion and Scope for Future Work 

For many years, security engineers have complained that neither hard- 
ware nor software vendors showed much interest in building protection 



5 There does, of course, linger some doubt about the extent to which Microsoft, Intel and the 
other TC core members may retain some residual control over the TC mechanisms, which 
might be used to the detriment of a new TC-using company that came to be seen to pose a 
threat to platform dominance as Netscape did. 
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into their products. Early work in security economics now suggests why 
this was so [Ander2001]. The high fixed costs, low marginal costs, high 
switching costs and network effects experienced by many IT firms lead to 
dominant-firm industries with strong first-mover advantages. Time-to- 
market is critical, and so the 1990s Microsoft philosophy of ‘we’ll ship it 
on Tuesday and get it right by version 3’ was completely rational. Also, 
when competing to dominate a network market, firms have to appeal to 
the vendors of complementary goods and services. So operating system 
vendors have little incentive to offer complex access control mechanisms, 
as these simply get in the way of application developers. The relative 
unimportance of the end users, compared to the complementers, lead 
firms to adopt technologies (such as PKI) which cause application ven- 
dors to dump security and administration costs on to end users. Control 
of the application programming interface is critical to a platform owner, 
so best make it proprietary, complicated, extensible and thus buggy. It 
is much more important to facilitate price discrimination than to facili- 
tate privacy. Finally, in the absence of wide knowledge of security, the 
lemons effect caused bad products to drive out good ones anyway. 

What should have suddenly changed Microsoft’s mind? 

A cynic might argue that the recent Department of Justice antitrust 
settlement binds Microsoft to sharing information about interfaces and 
protocols except where security is involved. There is thus an incentive 
to rebrand everything the company does as being security-sensitive. Mi- 
crosoft has also argued that recent publicity about network attacks of 
various kinds was a driver. However, Microsoft has already used obscu- 
rity of protocol design from time to time as a competitive tool. There is 
also a growing consensus that security scaremongering is getting out of 
hand to the point that average US business may be spending too much 
on information security rather than too little. Surely a worm or two a 
year cannot justify a significant change of policy and direction. 

This paper argues that another important factor in the recent decision 
by Microsoft to spend nine-figure sums on information security, after 
virtually ignoring the issue for decades, is the prospect of increasing 
customer lock-in. (It should be noted that Intel, AMD, IBM and HP 
are also making significant investments in TC, despite no immediate 
antitrust threats.) 

There are many other issues raised by TC, from censorship through 
national sovereignty to the fate of the digital commons and the future 
of the free and open source software movement [TCPA-FAQ]. But while 
these issues also merit very serious consideration, they should not alto- 
gether deflect regulators and other policymakers from viewing TC de- 
velopments through the lens of competition policy. 

What should legislators and regulators do? Perhaps some useful 
precedents can be found in patent law. For years, an unlawful tying con- 
tract would invalidate a UK patent; if I had a patent on a flour milling 
process and licensed it to you on condition that you buy all your wheat 
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from me, than by making that contract I made my patent unenforceable 
against you (or anyone else). At the very least, one might suggest that 
the legal protection apparently granted by the DMCA and the EUCD to 
TC mechanisms that claim to be enforcing copyright should be voided 
in the event that they are used for anti-competitive purposes, such as 
accessory control or increasing customer lock-in. 

But how should a regulator differentiate between ‘good’ and ‘bad’ ty- 
ing? After all, it is a well known proposition in undergraduate economics 
courses that price discrimination is often efficient. 

We would suggest that this question may be one of the more urgent 
and interesting facing the economics community today. An analysis 
purely on innovation grounds may not be particularly useful: government- 
mandated interoperability would reduce the incentives for innovation by 
incumbents, so regulators would have to balance the costs to incumbents 
against the benefits to future challengers. As incumbents are more able 
to lobby than future challengers - who may not even exist yet - this is 
a difficult balance to manage politically. 

As an alternative, we suggest the test for legislators to apply is whether 
TC mechanisms increase, or decrease, consumer surplus. This is also 
the test that the literature on abusive patent settlements would sug- 
gest [Shapiro2002]. Given the claims by TC supporters that TC will 
create value for customers, and the clear expectation that it will also 
create value for the vendors, and all the fog of impassioned argument 
about the rights and wrongs of digital rights management, perhaps the 
test of whether the consumers end up better off or worse off may be the 
most simple and practical way to arrive at a consistent and robust policy 
direction on TC. 
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The purpose of DRM systems is to provide rights-holders with 
the means to control how their copyrighted materials can be 
used. 

There are many stakeholders in the production and use of Digital 
Rights Management (DRM) systems, and the incentives influencing their 
behaviour and the interactions between them are complex. In this paper 
I argue that it may well be more socially efficient to use market mecha- 
nisms to protect copyright holders, rather than spending large amounts 
of money on the development and deployment of stronger DRM mecha- 
nisms. 

The most publicly visible proponents of DRM systems are those whose 
economic rights would be protected by them. Of these, the most promi- 
nent in the media are the record and movie industry associations. The 
message that they seem anxious to communicate to the public is that 
unauthorized duplication of music tracks will destroy the industry. They 
conflate the effects of commercial and private copying, and most of the 
messages seem to portray a general nervousness reminiscent of the Y2K 
‘crisis’. 

Within the industry, though, organizations such as the British Phono- 
graphic Industry are painting a very different picture. The BPI’s ‘Market 
Information’ newsletter for February 2003 put ‘intense competition from 
other areas of the entertainment sector’, and ‘increasing economic un- 
certainty’ before unauthorized copying of recorded music in the list of 
reasons for a drop in sales. It said further that ‘despite the downturn in 
sales in 2002, UK record companies sustained sales of music at a very 
high level’ and ‘[the market value] represents the second highest total 
ever achieved’. The figures also show that ‘the volume of CD albums 
shipped in 2002 reached another all time high: 221.6m units’ [BPI, 2003]. 
Given that the technology to duplicate music has been available to the 
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consumer for many years, this hardly looks like an industry in desper- 
ate need of strong DRM protected from circumvention by legislation. A 
BBC News article in response to the same figures stated that ‘the British 
record industry has experienced its biggest sales decline in decades’ and 
that ‘the BPI says piracy is the main factor’ [BBC News, 2003a]. 

The purpose of DRM systems is to provide rights-holders with the 
means to control how their copyrighted materials can be used. For ex- 
ample, the holder of the copyright in an e-book might be able to time 
limit a purchaser’s ability to read the book, or restrict the amount of 
material that can be printed out. This paves the way for far more finely 
grained market segmentation than is currently available in most media, 
and it is unclear whether having a diversity of licensing restrictions on 
content, enforced by DRM, will be socially efficient. This possibility 
for segmentation is already being exploited by some of the subscription 
services for music, who offer different levels of subscription with a vary- 
ing number of downloads that can be transferred to permanent media, 
portable music players etc. 

DRM systems are afforded further protection by articles 11 and 12 
of the WIPO Copyright Treaty, which is implemented in national legis- 
lation such as the Digital Millennium Copyright Act in the US, and in 
implementations of the EU Copyright Directive in Europe. It states that 
‘Contracting Parties shall provide adequate legal protection and effective 
legal remedies against the circumvention of effective technological pro- 
tection measures [...]’ and also states the remedies should be provided 
against those who ‘remove or alter any electronic rights management 
information without authority’ or distribute, broadcast etc. any works 
from with the protection has been removed. 

‘Free uses' of copyright material cause significant problems in the 
implementation of DRM systems, as do the concepts of ‘fair use' and 
‘fair dealing’. ‘Free uses’ are acts that can be carried out without the 
authorization of the copyright holder, and without any obligation to 
compensate him. ‘Fair use' and ‘fair dealing’ can also take into account 
the ‘nature and purpose of the use, including whether it is for commercial 
purposes’ [WIPO], An example of this is quoting for the purposes of 
satire: it would be impossible to describe this limitation to protection 
in any DRM policy. This is a ‘problem’ that can only be solved at the 
social level. Furthermore, the circumvention of any DRM mechanism 
for the purposes of free use and fair use/fair dealing will be illegal under 
some proposed national legislation implementing the WIPO Copyright 
Treaty. 

Even with the strongest DRM mechanisms we have today, the BORA 
(break once run anywhere) principle still holds. Once content is retrieved 
from a DRM system and re-encoded in a non-DRM protected form, the 
duplication of that content is as easy as moving the bits around. This 
means that the cost of breaking the DRM on a particular piece of con- 
tent need only be borne once. The marginal costs of the duplication 




How much is stronger DRM worth? 



55 



to the consumer who can obtain the content are near-zero, and fur- 
thermore the consumer need not expend any resources in breaking the 
DRM. Even in the extreme cases where the quality of the content is 
very low, as with Video CDs encoded from camcorder recordings illic- 
itly made in cinemas, markets are created in these CDs. This suggests 
the DRM will do nothing at all to prevent the commercial copyright 
infringment that appears to be hurting the industry the most. Water- 
marking may go some way towards preventing this, but there are two 
obstacles to be overcome. The first is the ease with which some con- 
temporary watermarking mechanisms can be defeated in a re-encoding 
process [Peticolas, Anderson and Kuhn] . The second is that either legis- 
lation or market mechanisms must be used to make players that enforce 
policies on watermarked content ubiquitous. An alternative would be 
to use watermarking for the purposes of tracing the orginal from which 
the content was copied, but these watermarks may again be trivially re- 
moveable. Only weak DRM is needed to protect against casual copying, 
and even the strongest DRM systems available are unable to defeat a 
determined, well-resourced adversary. 

A message peddled by the record industry is that they ‘can’t compete 
with free’, but in fact it is far from clear that the costs of copyright 
infringement to the consumer of content are zero. Although the costs 
of exchanging the content once any DRM mechanism has been broken 
are close to zero, the costs of forming the social networks necessary to 
support this exchange are far higher. In the case of the film trading 
‘scene’, the amount of time necessary to make oneself a member of the 
community is high. In the case of most peer-to-peer networks, the costs 
of forming the networks have initially been borne by companies hoping 
to make money out of piggy-backing other services. The sunk costs of 
providing a network the provides the search features that an average 
consumer wants are high, however, and no company seems to have pro- 
duced a business model capable of recouping them in any reasonable 
time. 

There are also technical aspects that increase the transaction costs to 
the consumer of material on which copyright has been infringed. Many 
companies providing broadband access to consumers have started to put 
restrictions on the total amount of data that they can transfer in a given 
time period. To transfer the content on a DVD losslessly would consume 
nearly five days’ quota with one popular UK cable operator [BBC News, 
2003]. There is also the issue that most consumer broadband systems 
are asymmetric, and hence the exchange of large amounts of content 
between broadband customers is necessarily slower than if they were 
downloading from a better-connected machine. It may no longer seem 
worthwhile to a broadband customer to exchange content with a person 
from whom he has no guarantee of getting anything in return, if the 
costs to him in terms of the use of his quota and the slowing down of 
his Internet connection are large. 
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We therefore see that exchanging content is not by any stretch of the 
imagination free, as is claimed by many content industry representa- 
tives. In obtaining content, we must take into consideration the costs of 
forming social networks necessary to get access to the material, and the 
costs in terms of time spent locating and downloading it. The costs in 
terms of usage of ISP allocated quota also become an issue when dealing 
with large video files, and people may become less altruistic in exchang- 
ing content with each other once these costs become more visible. The 
use of P2P networks often incurs high search costs in order to find qual- 
ity content; only a service that offered good indexing and consistent, 
high-quality content would be a real threat to a content industry run 
offering. 

The presence of these costs suggests that if the industry were willing 
to compete in supply of content with the ‘free’ services currently avail- 
able, market mechanisms could achieve the goals that strong DRM sys- 
tems were supposed to. Legislation already deals with combating large- 
scale commercial copyright infringement, although effective enforcement 
is sometimes lacking. The industry has significant advantages in reduc- 
ing transaction costs of obtaining content to the consumer, even in the 
case of ‘paid for’ services. 

The first advantage is that they can build on well-known record indus- 
try brands. They also have the necessary bargaining power to negotiate 
with ISPs for loosening of the quota restrictions for their particular con- 
tent. This is especially likely given that bandwidth within ISPs is, to a 
first approximation, free, and the colocation of servers for content within 
large ISPs is a real possibility. The ISP would have an incentive to par- 
ticipate in such a scheme, as the colocation of industry-provided content 
might well reduce the usage of expensive, external bandwidth. The in- 
dustry would also be able to provide easy sampling of audio tracks/film 
clips before purchase, and much lower search costs. This could well lead 
to market selection in favour of ‘paid for’ services, if they are seen to 
save time and increase convenience in comparison with other systems. 

Some companies are already moving in the direction such business 
models: in the US, Pressplay and MusicNet offer subscription based ser- 
vices, and ‘dotmusic ondemand’ has recently become available in Europe 
[Subscription Services]. These services not only allow streaming of an 
unlimited number of tracks after a subscription is paid; they include a 
number of downloads that can be transferred to more permanent me- 
dia such as CDRs. Some DRM is used in delivery of these services, 
but it is significantly weaker than some of the hardware-based schemes 
currently under consideration. This signals a shift from the traditional 
business model of selling music and video recordings as, for example, a 
book would be sold, to a service-based model where entertainment is 
provided on a subscription basis. 

In conclusion, the evidence suggests that very little should be spent 
on the development and roll-out of stronger DRM mechanisms. The 
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stated goals of the content owners can, to a large extent, be achieved 
by entering into competition with the ‘free’ services, and letting market 
mechanisms do their work. The lack of incentive for major investment in 
stronger DRM systems leads us to question if they are being developed 
solely to increase customer lock-in to specific technologies [Anderson, 
2003], 
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‘Trusted computing’ technologies promise to enable media 
players within a PC to execute with the same level of re- 
sistance to piracy that one would expect from a proprietary 
hardware player 



The viability of content piracy hinges on the resource costs of and 
risk from two required steps: extracting content from its protected form 
and then distributing copies of that content. History demonstrates that 
advances in technology often reduce these costs. The latest such advance 
comes in the form of extraction tools and peer-to-peer networks that 
automate both steps of the piracy process and put them in the hands of 
the average consumer. In response, the entertainment industry is looking 
to protect their content using ‘trusted computing' technologies, which 
aims to place content extraction technology back outside the reach of 
the average consumer. We explore the implications of such technologies 
and argue that history, against the hopes of the entertainment industry, 
may continue to repeat itself. 

A brief economic history of piracy 

The cost of pirated goods is a function of the costs of extracting 
content and distributing copies. We refer to the one-time extraction cost 
as e (sometimes called the first-copy cost) and the per-copy distribution 
cost as d. The total per-copy cost of pirating n copies thus equals ^ + d, 
where the cost of extraction is amortized over the number of copies. 
Using this simple formula as a guide, we briefly review the evolution 
of the economics of piracy and set a framework for understanding the 
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reasoning behind the anti-piracy techniques used in the past and those 
being proposed today. 

Before the days of consumer-writable media, the cost of piracy was 
dominated by the per-copy distribution cost d. No effort was expended 
to make it costly to extract content from media. This one-sided approach 
makes sense when one considers the components of the distribution cost 
d: the resource costs related to purchasing and writing media and the 
legal liability costs associated with the distribution of pirated content 
in countries that enforce intellectual property laws. The direct effect of 
high resource costs is to limit the number of pirates. Because the average 
consumer could not afford to produce pirated media, the entertainment 
industry could easily afford to pursue legal action against those few 
with the financial resources for engaging in piracy. Such legal actions 
had the effect of increasing liability, which ultimately resulted in further 
increases in per-copy distribution costs. 

The advent of audiotape and videotape made recording technology 
and media available at a reasonable cost, and the widespread accep- 
tance of consumer VCRs created a demand for pirated video content . 1 
These technology changes dramatically reduced d, and the entertainment 
industry reacted by endeavoring to increase e. 

In particular, the industry introduced anti-piracy mechanisms into 
content-players and recorders in order to raise the cost of extraction 
high enough so that this cost could only be justified if amortized over 
a large number of copies. Consumer VCRs were built with technology 
that would refuse to record audio and video signals from sources of copy- 
righted content [Corporation, ]. In parallel, the entertainment industry 
also employed patent protection and industry license agreements to force 
manufacturers to include anti-piracy mechanisms in their content play- 
ers. These legal barriers were meant to exclude from the content-player 
market any manufacturer not complying with the anti-piracy design re- 
quirements. Increasing e made casual piracy prohibitively expensive, 
and the entertainment industry again kept piracy at bay by investigat- 
ing and prosecuting only a small number of distributors. 

The development of digital content players and cheap digital media 
again dramatically changed the economics of piracy by driving the re- 
source costs related to purchasing and writing media to near zero . 2 In 
addition, digital media eliminated the problem of copy degradation and 
further drove down the costs of distribution. At first, the entertainment 
industry reacted by delaying the introduction of high-density, writable 
digital media into the consumer market. However, once personal com- 



Lvcn though the proliferation of pirated content was limited by imperfections introduced as 
copies of copies were made on analog media, these consumer technologies reduced d to the 
point where the number of potential pirates could increase dramatically. 

“At the time of this writing, storage costs were approximately 30 cents per gigabyte for 
removable media, such as DVDs/CDs, and $1 per gigabyte for fixed storage, such as hard 
disks. 
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puters (PCs) advanced to the point where compressed audio and video 
was easy to play and distribute across the Internet, it no longer made 
economic sense to block the sale of high-density, writable drives to con- 
sumers. Writable CD-ROM drives are now standard equipment on PCs, 
and drives that also write to DVD will soon take their place. 

A primary goal of the DVD format was to protect digital video from 
piracy. As with VCRs, legal barriers and economic incentives were put 
in place to ensure that manufacturers could only produce a DVD reader 
if it included anti-piracy mechanisms to thwart content extraction and 
reverse engineering [Anderson, 2001, page 431]. Once again, the in- 
dustry’s legal efforts would then focus on a smaller set of larger pirate 
distributors. For these reasons the industry has fiercely protected the 
DVD format, filing suit under the new Digital Millennium Copyright 
Act (DMCA) to keep video content extraction tools out of the hands 
of consumers [Hansen, 2001; Harmon, 2001]. The entertainment indus- 
try has also tried, rather unsuccessfully, to retrofit the CD format with 
similar content-extraction protections [Borland, 2002a]. 

Napster was the first system to integrate the end user into the distri- 
bution process. The reduction in the per-copy cost of pirated content 
was so significant that the market for pirated music and video content 
exploded. The market growth was aided by an image of legitimacy re- 
sulting from extensive press coverage and professional looking software. 
Having failed to protect content on CDs, the recording industry attacked 
the distribution channel, suing Napster as it would any other large dis- 
tributor of pirated content. Though Napster’s centralized infrastructure 
failed to survive legal attack, newer systems such as Gnutella and Kazaa 
evolved to use distributed infrastructures more resilient to legal action 
against individual components. While the Recording Industry Associa- 
tion of America (RIAA) is working to bring makers of piracy applications 
into US jurisdiction [Borland, 2002b | and break the corporate veil [Olsen, 
2002], these piracy networks are designed to live on long after the demise 
of their creators. 

Without an effective way to raise extraction costs or eliminate the 
current peer-to-peer distribution channels using legal attacks, the en- 
tertainment industry has undertaken a two-pronged effort to raise the 
per-copy distribution cost seen by individual consumers. On the legal 
front, the industry is using high profile litigation against a few individ- 
uals, in hopes of raising in all consumers the perceived liability of using 
these networks [McCullagh, 2002], It is a strategy that appears to be 
having an effect [Harmon, 2003b ]. The industry is also learning to use 
a technical approach to raising distribution costs. In particular, it is 
attacking the confidentiality, integrity, and availability of peer-to-peer 
distribution networks. 




62 



THE ECONOMICS OF INFORMATION SECURITY 



Enter ‘trusted computing’ 

While attacking channels for distributing pirated content has not been 
without benefit, it also has costs and limitations. Thus, the entertain- 
ment industry continues to explore new ways of protecting the content 
stored on media and played by software. In particular, ‘trusted comput- 
ing’ technologies promise to enable media players within a PC to execute 
with the same level of resistance to piracy that one would expect from a 
proprietary hardware player, such as those used to play DVDs. If these 
technologies succeed, extracting content from the media of the future 
will be significantly more difficult than ripping a CD is today. 

Part of the success of the entertainment industry’s anti-piracy effort 
relies on its ability to make content extraction inconvenient enough to 
deter the general public. To be successful, the industry must also de- 
ter those individuals and defeat those systems that distribute pirated 
content. In short, the industry would like to return to the days when 
investigation and legal actions were sufficient to counter a reasonably 
sized set of professional pirates. 

Roadmap 

The per-copy cost of piracy, ~ + d, is at the heart of the ongoing 
battle between the entertainment industry and content pirates. In Sec- 
tion 5.1 we explain how ‘trusted computing’ technologies will be used 
to protect media players from content-extraction attacks, increasing the 
pirate’s cost of extraction, e. We describe attacks that may be employed 
against peer-to-peer distribution of pirated content in Section 5.2. If suc- 
cessful, these attacks will increase the pirate’s distribution costs, d, and 
reduce the number of copies, n, that the network is able to distribute. In 
Section 5.3, we explore a how the ‘trusted computing’ technologies de- 
scribed in Section 5.1 can be used by pirates to secure their peer-to-peer 
networks against the attacks of Section 5.2. 

1. Protecting Content 

To protect their content, owners will encrypt it before writing it to 
media or otherwise transmitting it to media players. Media players 
will be required to provide a minimum level of resistance to content- 
extraction attacks before content-owners will entrust them with the de- 
cryption keys. Because the PC platform was not designed to resist such 
attacks, media players running on today’s PCs cannot make such guar- 
antees. Not surprisingly, the leading forces in the PC market formed 
the Trusted Computing Platform Alliance (TCPA), now succeeded by 
the Trusted Computing Group (TCG), to introduce technologies that 
will enable PCs and their applications to obtain the trust of the enter- 
tainment industry. Microsoft has also introduced similar technologies as 
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part of its next-generation secure computing base for Windows, formerly 
known as Palladium. 

These efforts introduce into commodity computing hardware a private 
key of a public key pair, as described in Arbaugh, Farber, and Smith's 
early work on secure boot processes [Arbaugh et al., 19971. After plac- 
ing the private key into the hardware, the manufacturer creates a signed 
certificate vouching that the hardware into which the key was placed ex- 
hibits certain properties, such as tamper-resistance, and that only this 
hardware was given the public key. The hardware may make claims, or 
attest to statements, to a remote entity by signing these claims with it’s 
private key. Trust in the claims certified by this remote attestation [Al- 
liance, 2000] process is only as strong as the trust in the entities that has 
signed off on the claims. Once claims regarding the identity and anti- 
piracy properties of the hardware and BIOS have been established, the 
BIOS may then attest to the identity of the code it will next execute, the 
operating system. In a final transitive step, an operating system trusted 
by the remote entity may then attest to the identity and integrity of 
the application it is running. In order to reduce the number of digital 
signatures required, hardware registers may be used to collapse these 
steps into a single claim by the hardware. Alternative approaches place 
full responsibility for protecting clients in the hardware, removing the 
need for attestation of the operating system [Lie et al., 2000; Suh et al., 
2003], 

If each link in the chain is trustworthy then a remote entity may 
rely upon a client application to behave with the trust properties, such 
as resistance to content-extraction, for which the application has been 
certified. Because operating systems rely upon hardware for their correct 
operation, and applications rely upon operating systems for their correct 
operation, each attestation step builds on the prior trust layers. If any 
layer turns out not to be trustworthy, it may subvert all the layers above 
it. 

Once a trust infrastructure is in place, the entertainment industry may 
protect its content by encrypting it and only transmitting the keys to 
those platforms built from components (hardware, operating system, and 
applications) that it trusts. In order to ensure the confidentiality of the 
keys that protect content and the unencrypted content itself, additional 
operating services are required to protect them while applications use 
them. Specifically, the operating system must protect the applications’s 
memory and, if keys are to be stored locally, its file storage. Operating 
system services will also be required to protect the content on its way 
to the screen or audio card, lest content be stolen in a digital format on 
its way to the user. Microsoft’s next-generation secure computing base 
for Windows provides each of these services under the names curtained 
memory, secure storage, and secure input and output. 

However, if humans are to eventually hear the protected audio signals 
and view the protected video signals, then this protected content can 




64 



THE ECONOMICS OF INFORMATION SECURITY 



also be recorded. Since video cameras and music recorders can record 
and store any information perceivable to human eyes and ears, secure 
output paths all the way from computer to user are therefore impossi- 
ble. A motivated attacker, who purchases the highest quality viewing 
or listening equipment and pairs it with equipment that can record the 
experience, will be able to produce a copy that is good enough to please 
a vast number of consumers. These limitations are acceptable if the goal 
is only to increase the cost of extraction enough to deter consumers, not 
professional pirates, from making copies. 

2. Attacking Peer-to-Peer Distribution 

Because no level of media protection can raise the cost of extraction 
beyond the cost of recording the signal presented to the user, a successful 
anti-piracy effort must also work to maintain a high cost of distributing 
pirated content. In particular, the entertainment industry must deter- 
mine how it can deter peer-to-peer distribution of its pirated content. 

We explore attacks on peer-to-peer networks and the countermeasures 
used to defeat them. We consider these attacks with regard to the secu- 
rity assets they target: confidentiality, integrity, and availability. 

Confidentiality 

Breaches of confidentiality both increase the expected liability cost of 
distributing content and reveal information that can be used to write 
programs that attack the system’s integrity and availability. 

If caught, both senders and receivers of pirated content may face law- 
suits or other forms of retaliatory action. Using today’s peer-to-peer 
networks is particularly risky because anyone eavesdropping between the 
sender and the receiver may observe pirated content in transit. Even if 
content was transmitted in encrypted form, the eavesdropper could use 
traffic analysis to determine the network addresses of the sender and the 
receiver and the size of the files being transferred. These attackers use 
confidentiality attacks to interrupt file transfers [Borland, 2003], locate 
pirates in order to send them cease and desist messages [Harmon, 2003a], 
and gather evidence for litigation. 

The first step in protecting the confidentiality of the network is to 
encrypt the data sent over it so that only the sender and receiver know 
what was sent. However, there is nothing encryption can do to ensure 
that the party at the other end of the line, who knows what was transmit- 
ted, is not the attacker. For this reason systems that provide anonymity, 
or at least plausible deniability, are desirable. In such systems, the at- 
tacker may know that copyrighted content was transmitted through the 
network but cannot identify the original sender or final recipient. 

A common approach to anonymous networking is to re-route com- 
munications through more nodes than can be tracked effectively [Reiter 
and Rubin, 1998; Syverson et al., 1997], Attackers may watch the com- 
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munication as it travels through the network or run routers that expose 
routing information, but these threats may be mitigated so long as a 
reasonable fraction of the routers act to keep routing information confi- 
dential. At present, there is no way to determine which clients will route 
traffic through the network with the intent of protecting anonymity. 

Attacking the network is not the only way to breach the confidentiality 
of the peer-to-peer system. By running the peer-to-peer client software 
and thus controlling a peer, an attacker may look into the peer-to-peer 
network through the “eyes” of its client software. Client software has 
no secrets because operating systems make every byte of a program’s 
memory available to the machine’s administrator, or root account. The 
attacker can locate encryption keys, network topology information, or 
any of the other information required to participate in the peer-to-peer 
network. Once confidentiality has been breached, the attacker may use 
the information to write programs to impersonate a genuine peer-to- 
peer client and attack the network from within. Such programs are 
invaluable to the attacker as they enable scalable attacks on integrity 
and availability. 

Integrity 

The integrity of information in a peer-to-peer system may be attacked 
through the introduction of degraded-quality content or by misrepresent- 
ing the identity of the content. In the context of music, these attacks 
have included introducing noisy recordings or falsely labelling songs. 
Attacks on the integrity of information describing the operation of the 
peer-to-peer network, such as the network’s topology and routing in- 
formation, may disrupt communication or even prevent users from ever 
accessing the network again. If clients are disconnected from the net- 
work, or if content may be misrepresented or its quality decreased, then 
the user’s cost of obtaining pirated content (part of the distribution cost) 
will increase. 

Reputation systems counter corrupt content attacks by enabling users 
to rate the validity of content and those who provide it. To ensure that 
all copies of the same content share the same reputation, content may 
be identified by its fingerprint (or hash). This enables reputations to 
scale far beyond trust in the user and allows widely duplicated corrupt 
files to be recalled quickly. 

To ensure that an attacker cannot modify or delete its client’s reputa- 
tion information, designers must distribute this information among the 
other clients using protocols that prevent tampering. Because attackers 
can delete clients and reinstall new ones, a reputation system should also 
maintain information for the machines on which clients run. Confound- 
ing this problem are virtual machines, in which the few potential unique 
machine identifiers (e.g. network card addresses) may be modified easily. 
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While we may construct reputation systems to be resilient to a large 
number of malicious users, no existing system is immune to attack from 
an unlimited number of such users [Cornelli et al., 2002; Kamvar et ah, 
2003]. If the attacker can write programs that impersonate genuine 
clients, there is no limit to the number of malicious peers that can be 
introduced into the system. 

Availability 

More resources are expended performing searches on peer-to-peer net- 
works than are required to request that a search be performed. Attack- 
ers may use their client application to issue a large number of search 
requests, flooding the network with more requests than can be serviced. 
Alternatively, the attacker may force their client application to drop 
packets it was meant to route by manipulating the operating system or 
by simply disconnecting network cables at the right times. 

Peers can stem the flood of requests by requiring that requests be 
accompanied by proof that the requestor had performed computational 
work, restoring the balance between the computation costs of issuing 
and responding to requests. This approach was introduced by Dwork 
and Naor [Dwork and Naor, 1992] to increase the low cost of sending 
email and make sending spam unprofitable. This concept has been ex- 
tended to more general settings, such as preventing network level denial 
of service attacks for TCP [Juels and Brainard, 1999] and TLS [Dean 
and Stubblefield, 2001], Requiring clients to solve puzzles before issuing 
requests could go a long way to prevent, flooding attacks on peer-to- 
peer networks. However, the entertainment industry might be able to 
harness enough processing power to flood networks if its members can 
exploit the media players they controls to perform puzzle computations 
on machines paid for by their users. 

An alternative to client puzzles is to use the reputation systems men- 
tioned above to track individual machine’s utilization of networks re- 
sources. The efficacy of this approach is limited if the attacker can 
corrupt the reputation system using programs that impersonate genuine 
clients, or even if a large number of genuine clients can be run on vir- 
tual machines and fed scripted input. The payoff to the entertainment 
industry of scaling such attacks comes in the form of increased barriers 
between users and pirated content, which in turn increases the per-copy 
cost of distribution. 

3. Defending Peer-to-Peer Distribution 

At the time of this writing, Sharman Networks, the makers of Kazaa, 
claims that well over 200 million copies of its client application had been 
downloaded. Because these networks contain vast resources, attacks will 
only be affordable if the cost of attack is many times smaller than the 
damages inflicted on the distribution network. 
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The existing countermeasures described in Section 5.2 are sufficient 
to defend peer-to-peer networks against attacks from individual users 
running authentic clients on real machines. Attackers still have a leg up 
in that they may peer into clients running on their own machines, use 
this information to write programs that impersonate real clients, and 
run as many copies of these clients as they need to disrupt the network. 
Alternatively, they may script attack behaviors and feed those behaviors 
into a large number of authentic clients running in parallel on virtual 
machines. 

Can peer-to-peer networks be made immune from malicious client 
software written by the attacker? They can if the personal computer 
industry delivers on its promise of remote attestation. Though this tech- 
nology was envisioned to thwart pirates, it is exactly what a peer-to-peer 
system needs to ensure that no client application can enter the network 
unless that application, and the hardware (not a virtual machine) and 
operating system it is running on, has been certified by an authority 
trusted by the existing clients. The trust model may be quite simple: 
accept only new clients into the network if they are certified by the same 
authority that vouched for the existing clients. 

What’s more, if Microsoft delivers on the promises of its next-generation 
secure computing base for Windows, then clients can also be assured of 
secure storage and curtained memory. With these technologies, peer-to- 
peer systems can protect the confidentiality and integrity of the clients’ 
memories, which are collectively the memory of the entire network. 

4. Conclusion 

To thwart piracy the entertainment industry must keep distribution 
costs high, reduce the size of distribution networks, and (if possible) raise 
the cost of extracting content. However, if ‘trusted computing' mecha- 
nisms deliver on their promises, large peer-to-peer distribution networks 
will be more robust against attack and trading in pirated entertainment 
will become safer, more reliable, and thus cheaper. Since it will always be 
possible for some individuals to extract content from the media on which 
it is stored, future entertainment may be more vulnerable to piracy than 
before the introduction of ‘trusted computing’ technologies. 
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The real challenge is determining how much to spend and 
where to spend. This requires understanding of the economic 
issues regarding IT security. 



Increased interconnectivity among computers enabled by networking 
technologies has boosted the scale and scope of information technology 
(IT) related crimes (Denning 2000). Open access nature of the net- 
worked world that facilitates easy exchange of information, goods, and 
services also presents the biggest impediment in the form of security. 
Today as the e-commerce continues to grow, so does the cyber crime. 
IT security, which was once considered an overhead to a company’s main 
operations, is now widely recognized as an important aspect of business 
operations (Cagnemi 2001). IT Security is no longer purely the concern 
of the traditional high-risk category organizations such as those in the 
defense, military, or government sectors. It has become pervasive across 
all sectors of the economy. While high-risk organizations may adopt se- 
curity at any price, most commercial organizations have to consider the 
cost-benefit trade-off of security technologies for effective management 
of IT security. 

The importance of effective management of IT security from an eco- 
nomics perspective has increased in recent years due to increasing fre- 
quency and cost of security breaches. A recent survey by Computer 
Security Institute (CSI) and FBI 2002 found that the ninety percents of 
respondents detected computer security breaches in the previous twelve 
months (Power 2002). The number of security breaches reported to 
Computer Emergency Response Team (CERT) has grown exponentially 
over the last decade, reaching 82094 incidents in 2002 up from 773 in 




72 



THE ECONOMICS OF INFORMATION SECURITY 



1992, even though CERT counted each incident once, irrespective of how 
widespread the attacks were 1 (CERT/CC Statistics 2003). 

The cost of a single security breach can be enormous in terms of 
monetary damage, corporate liability and credibility and has been in- 
creasing at a rapid pace. A global survey conducted by InformationWeek 
and Pricewaterhouse Coopers LLP estimated that computer viruses and 
hacking took a $1.6 trillion toll on the worldwide economy and $266 
billion in the United States alone (Denning 2000). CSI/FBI 2002 sur- 
vey revealed that eighty percents of respondents acknowledged finan- 
cial losses due to security breaches, and forty-four percents were willing 
or/and able to quantify their financial losses. The total loss from com- 
puter crime incidents reported in the 2002 survey was $456 million in 
contrast to $266 million in 2000 and $124 million in 1999. 

Public attention about security breaches increased dramatically when 
companies like Amazon.com, Ebay, and Yahoo were hit by Denial-Of- 
Service (DOS) attacks in February 2000. A number of high-profile com- 
puter worms and viruses, such as Code Red, Nimda, and I Love You, also 
heightened the awareness. A fact that attests this increased emphasis 
is a quote from a recent memo issued by Bill Gates to Microsoft’s em- 
ployees: “(the new emphasis is) more important than any other part of 
our work. If we don’t do this, people simply won’t be willing - or able 
- to take advantage of all the other great work we do. When we face 
a choice between adding features and resolving security issues, we need 
to choose security. Our products should emphasize security right out of 
the box.” 2 

In order to combat the computer crime problem the United States 
government has undertaken several measures. Computer-related crimes 
are federal offenses under the Counterfeit Access Device and Computer 
Fraud and Abuse Law 3 of 1984, which was expanded by the Computer 
Fraud and Abuse Act of 1986 and National Information Infrastructure 
Protection Act of 1996. The law classifies the computer crime and pro- 
vides guidelines for sentencing provision 4 . The laws and regulations en- 
acted by governments act as a broad deterrent against IT-related crime. 

Given that firms have little control on implementation of laws and 
regulations to deter IT related crime, increased concerns for security 
breaches have led firms to increase the importance of IT Security man- 



*CERT considers an incident as any group of activities in which an intruder uses the same 
tool or exploit. An incident can affect anything from a single computer to computers at 
numerous locations. 

2 The new emphasis on security includes the unprecedented step of stopping development on 
new Windows operating system software for the entire month of February 2002 and sending 
the company’s 7,000 systems programmers to a special security-training program. 

3 Computer-related crimes can be charged under at least forty different federal statutes other 
than Computer Fraud and Abuse Act. These federal statutes include the Copyright Act, the 
National Stolen Property Act, the mail and wire fraud statutes, the Electronic Communica- 
tions Privacy Act, the Communications Decency Act of 1996. 

4 For a state of art review of computer crimes law, see Nicholson et al. 2000. 
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agement within firms. Today IT security management seeks to manage 
the risks associated with IT assets such as loss, disruption, and unau- 
thorized access of information and system resources. 

1. An economics perspective to IT security 
management 

While firms seem to realize the importance of security, the assess- 
ment of the economic value of security has proved to be challenging. 
Traditionally, organizations have regarded security as a kind of insur- 
ance policy that indemnifies them from losses due to security breaches. 
Commenting on the current state of affairs, Ron Knode, Computer Sci- 
ences Corporation’s global director of managed security services stated, 
“While most IS professionals recognize the benefits of protecting and se- 
curing data, the business leadership in the organization still sees security 
as ‘nice to have' rather than ‘need to have’. It is not until something 
goes wrong before perceptions change. The fact is, it costs far less to 
establish the right security measures at the outset than it does to recover 
from a breach in security.” 5 

In fact, information security should be viewed as a value creator that 
supports and enables e-business, rather than simply as a cost of doing 
business. A secure environment for information and transaction flow can 
create value for the organization as well as its partners and customers. 
In the same token, security breaches can lead to breach of consumer 
confidence and trust in addition to lost business and third party liability. 
In a recent survey by Media Metrix only 12.1 percent of U.S companies 
with a web presence cite direct financial loss as a concern in a security 
breach while more than 40 cite consumer trust and confidence (Pastore 
2001 ). 

Although the high profile attacks on popular e-commerce sites in re- 
cent years have highlighted the importance of security in Internet age, 
security is still a tough sell to corporate managers. They want to see 
hard numbers to justify investments in security technologies, which are 
hard to get because of difficulties in estimating costs and benefits. Even 
though companies spend more money than ever for the deployment of 
security technologies, IT security problem is not getting better. Firms 
need to recognize that even the best technology is not fool proof. Fur- 
thermore, even if such a fool proof technology exists, it may not always 
be desirable for all firms. Firms need to manage security just as any other 
investment by analyzing the cost-benefit tradeoffs. Today IT security is 
shifting from what is technically possible to what is economically effi- 
cient. As pointed out by Crume (2000) “The first rule of IT security 
is that you [firms] should never spend more to protect something than 
thing is actually worth.” Firms should carefully consider costs and ben- 



5 CSC News Release, November 19. 2001. 
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efits before making their security investment decisions. In other words, 
each firm should strike an appropriate balance between risk and oppor- 
tunity to reduce the risk through security controls. This balance must 
be defined within the context the business operates: firm characteristics 
and hacker characteristics. The ultimate decision is what to protect and 
how much to protect. 

The growing importance of analyzing these tradeoffs is evident from 
the recent emphasis and discussion on economic aspects of IT security 
by both academics and practitioners alike. Economics-based research 
on IT security is a relatively new area where researchers examine IT 
security-related problems from cost-benefit perspective. Since it is a rel- 
atively new area, the literature in this stream is sparse. Researchers have 
addressed various security issues from an economics perspective, rang- 
ing from studies estimating the cost of security breaches and the value 
of security technologies to studies aiming at determining how much to 
invest in security and how to design an effective security architecture. 
Most of these studies basically follow one of the two prominent analysis 
techniques: Decision theory or game theory. In the next four sections 
I categorize these studies into four groups based the issues addressed, 
namely (i) estimation of the total cost of security breaches, (ii) assess- 
ment of the value of security technologies, (iii) determination of the 
optimal level of IT security investment, and (iv) other economics-based 
security studies. 

2. Assessing the total cost of security breaches 

The true cost of a security breach is multifaceted, therefore difficult 
to quantify. The costs of security breaches can be broadly classified into 
transitory (or short-term) costs that are incurred only in the period in 
which the breach occurs and permanent (or long-term) costs that are 
incurred over the long term. The possible transitory costs of security 
breaches include lost business and worker productivity due to unavail- 
ability of the breached information resources, labor and material costs 
required to detect, contain and repair and reconstitute the breached re- 
sources, costs associated with evidence collection and prosecution of the 
attacker and costs related to providing information to customers and 
public and other media related costs (D’Amico 2000). 

The other group of costs is more permanent in nature and has a 
long-term affect on the breached firm’s future cash flows. These costs 
include those related to loss of customers that switch to competitors, 
inability to attract new customers due to perceived poor security, loss of 
trust of customers and business partners, potential future legal liabilities 
arising out of the breach and cost of competitor’s access to confidential 
or proprietary information. In addition, the firm may face increased 
insurance cost and higher capital cost in debt and equity markets because 
of perceived increase of business risk. 
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The above costs can further be classified into tangible and intangible 
costs. It is possible to estimate some of the above costs such as lost sales, 
material and labor costs, and insurance costs. However, other costs such 
as those related to trust are difficult to calculate. Nonetheless these 
costs are extremely important in measuring the true cost of security for 
business. 

For many years, firms have generally relied on the cost estimates from 
the CSI-FBI surveys. According to the CSI-FBI Computer Crime and 
Security Survey 2002, which polled 503 respondents from organizations 
throughout the United States, 80% reported financial losses, but only 
44% (223) of them were able to quantify it. The total reported loss 
was $455,848,000 and the average estimated loss was $2,044,161 per 
organization across all types of breaches. The highest reported loss was 
for theft of proprietary information, reported by 41 organizations with an 
average of $4,166,512 per organization. The sabotage of data networks 
cost an average of $351,953 while denial-of-service attacks resulted in a 
$244,940 loss per organization. The reported losses included the firms’ 
estimates of direct and tangible costs associated with security breaches 
only. 

As discussed above, a security breach is multifaceted and can have 
both tangible and intangible costs. While most tangible costs are imme- 
diate or short-term, the intangible costs can have a long-term effect on 
the firm’s expected future cash flows. Therefore, using tangible costs to 
estimate the total cost of a security breach may be inadequate. However, 
quantifying intangible costs of a security breach is not easy. Although a 
direct way of measuring these costs seems difficult, an indirect estimate 
is possible though capital market valuation of firms. (Cavusoglu et al. 
2004a) propose a market valuation-based approach to estimate the true 
cost of security breaches. Their approach is based on efficient market hy- 
pothesis (Fama et al. 1969). In efficient markets, investors are believed 
to revise their expectations based on new information in announcements. 
Investors’ expectations are reflected in the value of the firm. Security 
problems may signal to the market a lack of concern for customer pri- 
vacy and/or poor security practices within the firm. These signals in 
turn may lead investors to question the long-term performance of the 
firm. If investors view a security breach negatively, believing that the 
transitory and long-term costs resulting from the breach will substan- 
tially reduce expected future cashflows, then using the change in market 
value of the breached firms around security breach announcement days 
can be a proxy to estimate the true cost of security breaches. 

Cavusoglu et al. (2004a) show that the announcement of an Internet 
security breach is negatively associated with the market value of the an- 
nouncing firm. The breached firm, on average, loses 2.1% of its market 
value within two days of the announcement. This translates into a $1.65 
billion average loss in market capitalization per breach based on the 
mean market value of firms in their data set. They also found that (i) 
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breach cost is higher for “pure play” or Internet-only firms than for con- 
ventional firms, (ii) breach cost has increased over the time of the study 
period, (iii) security breaches are costlier for smaller firms than larger 
firms, and (iv) breach cost is not significantly different across breach 
types. The effects of security breaches are not restricted to breached 
firms, however. The market values of security technology firms are pos- 
itively associated with the disclosure of a security breach. Each security 
firm in their sample, on average, realizes an abnormal return of 1.36% 
within two days after the announcement. This produces, on average, a 
total gain for security firms of $1.06 billion over a two-day period. 

The average loss estimate obtained through capital markets by Cavu- 
soglu et al. (2004a) is orders of magnitude above the average loss es- 
timate reported in the CSI-FBI surveys. The huge difference in esti- 
mates may be explained by the fact that firms in the CSI-FBI surveys 
estimated only direct costs such as lost productivity or sales, and ex- 
penditure on restoring the breached system, whereas the loss estimated 
through capital markets may also include the investors’ expectations 
about the impact on future cash flows, which requires considerations 
of intangible costs such as the loss of consumer confidence. Besides, in 
forming their expectations, investors may also anticipate that the firm 
may be breached again in the future. The estimates based on capital 
markets may be noisy because of the uncertainties. However, even if 
these estimates are discounted, there is an order of magnitude of differ- 
ence between the firms’ reported estimates in the CSI-FBI surveys and 
the market value loss in Cavusoglu et al (2004a). One possible implica- 
tion of this finding is that the intangible costs of security breaches can 
be much larger than the tangible costs, and hence, firms that ignore the 
intangible costs are perhaps grossly underestimating the loss from secu- 
rity breaches. Since investments in IT security are directly dependent on 
the extent of potential loss from breaches, firms are likely to underinvest 
in IT security if they make investment decisions based only on tangible 
costs. 



3. Assessing the Value of Security Controls 

Quantifying the value of IT security is not easy because of the diffi- 
culties in estimating benefits. This problem is not unique to IT security. 
The “productivity paradox” literature, which has attempted to quan- 
tify the return on IT investments, has grappled with similar problems 
(Brynjolfsson 1993). 

IT security management seeks to establish internal controls to mini- 
mize the risk of loss of information and system resources, corruption of 
data, disruption of access to the data, and unauthorized disclosure of 
information. These internal mechanisms fall into two major categories: 
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preventive control and detective control. Preventive control mechanisms, 
e.g. firewalls, aim to develop a “defensive shield” around IT systems to 
secure them. The detective control mechanisms try to detect the in- 
trusions when they occur. Although preventive control constitutes an 
important aspect of IT security architecture, it is extremely difficult 
to build an IT system that is absolutely secure. Detection-based secu- 
rity has become an important element in overall security architecture 
because IT systems are unprotected without detective controls once in- 
truders manage to break the firewall. Studies have also reported that 
many of the hackers are employees or outsiders assisted by insiders (Es- 
camilla 1998; Russell and Gangemi 1992). Thus, detection based con- 
trols complement the perimeter security by identifying intrusions from 
both insiders and outsiders. 

Intrusion Detection Systems (IDSs) are one of the most common de- 
tection approaches used by firms. The goal of these systems is to identify, 
in real time, unauthorized use, misuse, or abuse of computer systems. 
Cavusoglu et al. (2002a) investigates the value of IDS within an IT 
architecture that has firewalls on one side and manual monitoring on 
the other side surrounding the IDS. They derive the value of IDS by 
comparing two cases. In the first case, they focus on an architecture 
that doesn’t employ an IDS to detect intrusions. In the second case, 
they include an IDS within the security architecture to detect security 
violations. They find that, unlike the common belief, the value of IDS 
can be negative. They show that the value is positive only if the IDS de- 
ters hackers from hacking. They also show that firms can deter hackers 
through IDSs by configurating them effectively. However, irrespective of 
the value, an IDS reduces the effective manual investigation rate, thus 
reducing the manual investigation cost, but does not change the effective 
detection rate. Their results suggest that the value of an IDS arises from 
deterrence rather than improved detection. 

As pointed out by Axellson (2000) “The best effort [security] is often 
achieved when several security measures are brought to bear together. 
How should intrusion detection collaborate with other security mecha- 
nisms to this synergy effect? How do we ensure that the combination 
of security measures provides at least the same level of security as each 
applied singly would provide, or that the combination does in fact lower 
the overall security of the protected system?” Current practices seem to 
ignore interaction effect between security technologies in term of value 
contribution to security when designing a security architecture. 

Given the fact that layered security architecture is a necessity for 
a secure environment, the crucial question to answer is how security 
controls interact when they are implemented together within the same 
security architecture. Do they complement each other, for example, is 
the value of security architecture with both a firewall and an IDS greater 
than the sum of the values when each control is applied individually?, or 
do they substitute each other, that is, is the value of security architecture 
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with both a firewall and an IDS less than the sum of the values when 
each control is applied individually? 

This question is important because when a firm sets up its security 
architecture, it often considers how much value a security control will 
add to security in isolation with other controls already in place. This 
presumption is actually a selling point for security developers to sell their 
products. For instance, the argument that the firewall will reduce hacker 
attacks by x percent and will result in $y savings for the firm might be 
incorrect if there is already an IDS in the firm’s security architecture. 
Hence failing to recognize the interaction between security technologies 
may lead to security architecture design decisions that are not optimal. 

Cavusoglu et al. (2003a) clearly demonstrate that both complemen- 
tary and substitution effects might exist between security technologies. 
Since the firm decides whether to install the security control or not based 
on the cost of security, and its value to security within the firm, it might 
be the case that the firm justifies investments in some security controls 
that should have not been justified if it had considered the interaction 
effect, or the firm disregards investments in some security controls that 
should have been justified if it had considered the interaction effect. 
The conclusion is firms should carefully evaluate the value of a security 
mechanism considering already existing controls before concluding on its 
return instead of isolation from existing controls. 

4. Effective level of investment 

The process by which organizations determine their IT security in- 
vestments is rather blurred because of high degree of uncertainty in 
estimation of costs and benefits, as described in previous two sections. 
Fear, uncertainty, and doubt (FUD) (Berinato 2002) has been used for 
years by security vendors to sell investments in IT security. Although 
this approach can convince organizations to invest in basic security so- 
lutions, e.g. firewalls, anti-virus systems, it does not tell an organization 
how much to invest to deal with security risks in a cost effective way. 

There are basically two approaches to determine the effective IT secu- 
rity investment level. First approach uses the traditional risk or decision 
analysis framework and quite popular in practice. The idea is to identify 
the potential risk of security violations in terms of their damage and like- 
lihood. Using this framework Gordon and Loeb (2002) propose a model 
to analyze investments in IT security. Their economic model determines 
the optimal amount to invest in security controls to protect a given set 
of information by considering the vulnerability to a breach and the po- 
tential loss associated with a breach. They show that optimal amount to 
spend on security is far less than the expected loss from a breach in secu- 
rity. Their analysis also reveals that investing in security to mitigate risk 
from high levels or low levels of vulnerability may not be economically 
justifiable. Longstaff et al. (2000) propose Hierarchical Holographic 
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Model (HHM) to assess security risks and provide a model for assessing 
the efficacy of risk management. They argue that investment in system- 
atic risk assessment can reduce the likelihood of intrusions which yields 
benefits much higher than the investment. Hoo (2000) provides a de- 
cision analytic framework to evaluate different policies for IT security. 
He develops a risk modeling technique for selection of safeguards which 
utilizes influence diagrams as a common graphical language that maps 
relationships between key variables. Instead of comparing all security 
controls on an individual basis, his model groups controls into baskets of 
safeguards, or policies. Then he makes the cost-benefit tradeoff for each 
policy. Different from other two decision theoretic models mentioned 
above, his model considers not only the cost of security controls and 
expected loss from security breaches but also additional profits expected 
from new opportunities associated with the security investment when 
making cost and benefit calculations. 

In essence, all of the above models for IT security investments are not 
too different from general IT investment models. However, the context of 
IT security is different from a general IT investment context. In security, 
organizations are dealing with strategic adversaries who are looking for 
opportunities to exploit vulnerabilities in systems. While organizations 
try to cover vulnerabilities in their systems, attackers race with organi- 
zations to exploit them. They attack systems that are vulnerable and 
do not have appropriate controls. To be able to compete, organizations 
should act strategically when investing in security. IT Security can be 
treated as a kind of game between organizations and attackers. When 
choosing security investment level, firms cannot treat the risk environ- 
ment as static. Security investments not only prevent security breaches 
by reducing vulnerabilities that attackers can exploit but also act as a 
deterrent for attackers by making attacks less attractive. Knowing that 
their attack will not be enough to bypass preventive security mechanisms 
or will be detected by detective control mechanisms within the system 
can change the behavior of attackers. As pointed out in the NIST Spe- 
cial Publication on Risk Management 800-30 (Stoneburner et al. 2001), 
security investment increases the attacker’ cost. The deterrent effect 
comes in when the attacker’s cost becomes larger than its benefit, forc- 
ing to attacker not to attack the firm in the first place. Hence, looking at 
security investment problem from decision theoretic perspective might 
not be appropriate for determining how much to invest in security. Any 
model that aims to determine IT security investment level must consider 
the firm's action on attackers’ behaviors subsequently and vice versa. 

The second approach to determine the effective IT security investment 
level uses game theory to model such strategic interactions. Cavusoglu 
et al. (2003b) propose a comprehensive analytical model to evaluate se- 
curity investment decisions. Their model offers several benefits. First, it 
captures the individual technologies used in a typical IT security infras- 
tructure. Consequently, managers can evaluate the interaction among 
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different technologies and jointly decide on investments in multiple tech- 
nologies. Second, the model facilitates managers in understanding the 
different drivers of return on IT security investment and enables them 
to conduct sensitivity analysis of return with respect to these drivers. 
Without referring to specific security controls, Cavusoglu et al. (2004b) 
extend the model in Gordon and Loeb (2002) using a game theory- 
based approach for determining the optimal IT security investment level. 
They show that ignoring the strategic nature of interaction causes a firm 
to invest either more or less than the required amount. Their results 
clearly explain that under most circumstances the firm, when faced with 
a strategic adversary, realizes a lower cost when its uses the game theory 
as opposed to the decision theory to make security investment decisions. 

5. Other economics-based IT security studies 

Optimal configuration of IDSs has also attracted attention among se- 
curity researchers recently, leading to several models for such analysis. 
Configuration of an IDS involves setting the levels of false positive and 
false negative rates by calibrating the model used by the IDS. Gaffney 
and Ulvila (2001) present a decision theoretic approach to determine the 
best operating point of the IDS for a given environment. Their study 
integrates cost of dealing with two types of errors and quality profile 
of the IDS as indicated by Receiving Operating Characteristics (ROC) 
curve that relates the rate of false positives and rate of false negatives. 
Since hacker behavior can be influenced by the likelihood that the hacker 
will be caught, which in turn, depends on the configuration of the IDS, 
firm can use configuration as a strategic tool in security. Using this idea, 
Cavusoglu et al. (2002b) present an optimization model based on game 
theory to determine the optimal configuration of IDSs. They present 
their results using computational experiments. Cavusoglu and Raghu- 
nathan (2003) extends these two previous studies by comparing the ef- 
fect of the selected methodology - game theory versus decision theory 
- on configuration and resulting cost. They also provide an analytical 
solution for configuration problem for both methodologies. 

Even technical researchers have begun to incorporate cost elements in 
design. Lee et al. (2002) propose to build cost-sensitive intrusion detec- 
tion systems that generate alarms based on various cost elements. They 
follow a risk analysis procedure to select sensitive assets and create a cost 
matrix for each intrusion. Then they divide total cost into damage cost, 
response cost, and operational cost and define those elements for each 
type of intrusion. They use this cost model and technical effectiveness 
of the IDS to determine whether it is worthwhile to employ countermea- 
sures to stop an intrusion. To simulate their model they choose an attack 
taxonomy example from DARPA and verify effectiveness of the model. 
Using the same attack taxonomy Wei et al. (2001) suggest a similar cost 
model which considers the cost not only from multiple events but also 
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from multiple hosts, making it more general for a distributed network 
environment. 

Moitra and Konda (2000) analyze CERT Coordination Center inci- 
dents data from 1988 to 1995 to understand the underlying process for 
random occurrence of incidents. Then they develop a simulation model 
and run it with inputs estimated from the CERT data to observe how 
well a system survives when it is subjected to a series of attacks. They 
observe that as cost increases, survivability increases rapidly at first, 
and then more slowly. They show the tradeoff involved between the cost 
and expected survivability. So a firm can choose where to be on this 
curve when the indifference curve is estimated. Although survivability 
is important for security, their study is related to only one of the security 
objectives, which is availability. 

6. Conclusions and Future Research Directions 

In this paper, I overviewed the literature on economics of IT security 
management. I discussed the issues addressed and methodologies used. 
Specifically, I categorized the studies into four groups: (i) estimation of 
the total cost of security breaches, (ii) assessment of the value of secu- 
rity technologies, (iii) determination of the optimal level of IT security 
investment, and (iv) other economics-based security studies. 

Although the recent research on economics of IT security has increased 
the understanding of important security issues, this new research stream 
still has many issues to address. There are several directions for future 
research on economic aspects of IT security. The most prominent one is 
cyber insurance. Firms can manage security risks against information 
systems by investing in security technologies and/or buying insurance. 
The nature and extent of the risk in cyber space, which includes not only 
the direct risk to a firm but also the risk arising from interconnected 
partner networks makes insurance different from other contexts. The 
analysis of conditions under which cyber insurance is a viable option 
for security is very crucial for effective IT security management. This 
analysis will shed lights on how firms can use insurance to minimize the 
cost of security. 

Interconnections among IT systems make security levels of individ- 
ual systems interdependent. Each institution’s vulnerability depends 
not only on the way in which it manages its risk but also the ways in 
which other entities manage their risks. While investment in IT secu- 
rity reduces a firm’s risk exposure and produces positive externalities for 
others, dependence of the firm's security on the investments of others 
may negate the payoff the firm receives from its investment in security. 
It can also diminish the firm’s incentive to invest. Therefore, it is critical 
that firms invest in security after considering the additional risk arising 
from connected systems. Future research should focus on the effect of 
liability and litigation on security investment decisions among intercom 
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nected systems. It should also investigate the use of subsidy as a way to 

encourage security investments. 
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Each threat and vulnerability must be related to one or more 
of the assets requiring protection and discuss our framework 
for a classification of threats and coun termeasures. 

A critical decision security managers must make is the amount to 
spend on security measures to protect assets of the organization. To ar- 
rive at this decision, security mangers need to know explicitly the assets 
of their organizations, the vulnerability of their information systems to 
different threats, and potential damages. 

1. Cost of Information Security Incidents 

Threats and vulnerabilities do not exist in a vacuum. Each threat and 
vulnerability must be related to one or more assets requiring protection. 
This means that prior to assessing damages we need to identify assets. 
Logical and physical information system assets can be grouped into five 
categories: 

1 Information - Documented (paper or electronic) data or intellec- 
tual property used to meet the mission of an organization, 

2 Software - Software applications and services that process, store, 
or transmit information, 

3 Hardware - Information technology related physical devices con- 
sidering their replacement costs, 

4 People - The people in an organization who possess skills, knowl- 
edge, and experience that are difficult to replace and, 
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5 Systems - Information systems that process and store informa- 
tion (systems being a combination of information, software, and 
hardware assets and combinations of host, client, or server being 
considered a system). 

The most common metric for these diverse assets is money, which is 
generally used where the threat is direct financial theft or fraud. Some 
assets are difficult to measure in absolute terms but can be measured in 
relative ways, for example, information. The value of information can be 
measured as a fraction or percentage of total budget, assets, or worth of 
a business in relative fashion. Assets may also be ranked by sensitivity 
or importance to an organization in relative ways. The major categories 
of threats to the information systems are: 

1 Destruction of information and/or other resources, 

2 Corruption or modification of information, 

3 Theft, removal or loss of information and/or other resources, 

4 Disclosure of information; and 

5 Interruption of services. 

The impact of information security incidents may well be financial, 
in the form of immediate costs and losses of assets. For example, the 
cost of downtime per hour caused by a denial of service attack can be 
computed by measuring the loss of: 

Productivity (Number of employees impacted) x (hours out) x 
(burdened hourly rate) 

Revenue Direct loss, lost future revenues 

Financial Performance Credit rating, stock price 

Other Expenses Equipment rental, overtime costs, extra shipping costs, 
travel expenses, etc. 

But, much more serious are difficult to quantify the hidden costs. 
Consider the example of denial of service attack, where the damaged 
reputation of the company can have negative impact on the relationship 
of the company with its customers, suppliers, financial markets, banks, 
and business partners. 

We have chosen to use both qualitative methods (interviews) and a 
quantitative examination of the damages awarded in cases that have 
been successfully prosecuted. We have conducted personal interviews 
with law enforcement agencies dealing with computer crime and with 
executives from financial institutions dealing with security issues. In ad- 
dition, we did a literature review of cases prosecuted by the Department 
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of Justice including the evaluation of damages and financial awards. This 
review illustrates a significant negative market reaction to information 
security breaches involving unauthorized access to confidential data, but 
no significant market reaction when the breach does not involve access to 
confidential data (e.g., Campbell, et al 2003). This finding is consistent 
with the findings from the 2002 CSI/FBI survey, which suggests that 
among information security breaches, the most serious financial losses 
were related to the theft of proprietary information (Power 2002). This is 
also consistent with the recently prosecuted computer cases by the Com- 
puter Crime and Intellectual Property Section, CCIPS, of the Criminal 
Division of the US Department of Justice. According to CCIPS, 91% 
of cases that have been under the computer crime statute, 18 U.S.C. 
1030, are cases that relate to the violation of confidentiality of infor- 
mation. Consider an example of these cases: in November 2001, two 
former Cisco Systems, Inc., accountants were sentenced to 34 months in 
prison for “exceeding their authorized access to the computer systems” 
of Cisco Systems in order to illegally issue almost $8 million in Cisco 
stock to themselves. 

These findings reveal that breaches involving unauthorized access to 
confidential information are quite different than attacks that do not in- 
volve access to confidential information. As an example, we have calcu- 
lated the tangible cost for break-in using buffer overflow attack against 
Web servers from real incidents in five different companies as follow: 

Total productivity lost 

Total downtime; time to access and repair damage: 49 hours 

Total productivity lost: 49 hours x 30% time users lost x 500 users = 

7.350 hours 

Cost of downtime 

(Total productivity lost x percentage of staff) x hourly rate 

Employees with annual salary of $20,000: 

(7,350 hours x 55% of staff) x $10 per hour — * $40,425 
Employees with annual salary of $30,000: 

(7,350 hours x 30% of staff) x $15 per hour —*$33,075 
Employees with annual salary of $45,000: 

(7,350 hours x 15% of staff) x $22.5 per hour — * 24,806 
Total cost for downtime? $98,306 

This total cost for downtime seems to be very low compared with 
millions of dollars in damage in cases with violation of confidentiality of 
data. 

The literature review also indicates that compromised firms, on av- 
erage, lose approximately 2.1% of their market values within two days 
surrounding the events while security vendors gain an average of 1.36% 
from each such announcement (Cavusoglu, H., et al 2002) (These find- 
ings are supported by other work included in this text.) Other chapters 
and the literature more broadly also show the negative average impact 
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associated with announcements decreases with the size of the firm and 
this suggests that smaller firms are penalized more than larger firms. 
This result for the managers of small firms serves as a reminder of the 
importance of security for survivability of these firms. However, the au- 
thors do not present detailed data, and thus it is not possible for readers 
to draw conclusions about the absolute loss of market values. Although 
the market penalizes all firms for security breaches, Internet firms are 
penalized more than conventional firms. A possible explanation for this 
effect is the greater dependency by the firms on Internet to generate rev- 
enues. Firms that solely depend on the Internet as a revenue generating 
mechanism pay higher prices in case of a security breach than firms that 
have multiple sale channels. 

2. Threat-Agent Classification 

In their previous works, the authors have presented a subjective anal- 
ysis and probability assessment approach as a possible solution for vul- 
nerability assessment and damage evaluation of information security in- 
cidents (Farahmand et al., 2004). In practical terms, the evaluation 
of security risks eventually leads to subjective assessment supported by 
guidelines or some other risk assessment method. In our research, we 
attempt to provide a generic method by which the process can be made 
more systematic. 

Estimating the probability of attack by human threat actors using 
subjective evaluation can be complex. One should consider the following 
factors: 

Motive How motivated is the attacker? Is the attacker motivated by 
political concerns? Is the attacker a disgruntled employee? Is an 
asset an especially attractive target for attackers? 

Means Which attacks can affect the critical assets? How sophisticated 
are the attacks? Do likely attackers have the skills to execute the 
attacks? 

Building upon this larger factors, the following four variables should 
be considered. 

Opportunity How vulnerable is the computing infrastructure? How 
vulnerable are specific critical assets. Managers should also be 
warned about some cognitive biases that stem from the reliance 
on judgmental heuristics, which may occur in subjective analysis. 
We classify the origins of these pitfalls into three types: 

Representativeness In the representativeness heuristic, the probabil- 
ity that, for example. Bob is a hacker, is assessed by the degree 
to which he is representative of, or similar to, the stereotype of 
a hacker. This approach to the judgment of probability can lead 
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to serious errors, because similarity, or representativeness, is not 
influenced by several factors that should affect judgments of prob- 
ability. 

Availability There are situations in which people access the frequency 
of a class or the probability of an event by the ease with which in- 
stances or occurrences can be brought to mind. For example, one 
may assess the risk of disclosure of information among financial 
institutions by recalling such occurrences among one’s acquain- 
tances. Availability is a useful clue for assessing frequency or prob- 
ability, because instances of large classes are usually recalled better 
and faster than instances of less frequent classes. However, avail- 
ability is affected by factors other than frequency or probability. 
Consequently, the reliance on availability can lead to biases. 

Adjustment & anchoring In many situations, people make estimates 
by starting from an initial value that is adjusted to yield the final 
answer. The initial value, or starting point, may be suggested by 
the formulation of the problem, or it may be the result of a partial 
computation. In either case, adjustments are typically insufficient. 
That is, different starting points yield different estimates, which 
are biased toward the initial values. 

In spite of these pitfalls, the authors believe that subjective analysis 
can be employed usefully in information security assessment, even when 
quantitative data is not available or a formal process description is not 
required. 

Among information security experts there appears to be no agree- 
ment regarding the best or the most appropriate method to assess the 
probability of computer security incidents. There does exist, however, 
a hierarchy of approaches such as checklists and scenario generation 
techniques that require the user to have only a minimum knowledge of 
information system security (Wood, et. ah, 1987). 

To derive an overall likelihood rating that a potential vulnerability 
may be exploited these governing factors should be considered: threat- 
source, nature of the vulnerability, and existence and effectiveness of 
current controls. 

The threat-source addresses both motivation and capability. The like- 
lihood that a potential vulnerability could be exploited by a given threat- 
source can be described as high, medium, or low. In defining these like- 
lihoods we follow the likelihood determination by NIST (Stonebumer, 
et. al., 2001): 



High likelihood The threat-source is highly motivated and sufficiently 
capable, and controls to against penetration are ineffective 
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Medium likelihood The threat-source is motivated and capable, but 
controls are in place that may impede successful exercise of the 
vulnerability 



Low likelihood The threat-source lacks motivation or capability, or 
controls are in place to prevent, or at least significantly impede, 
the vulnerability from being exercised. 



One can also use these qualitative ratings to assign values for a quan- 
titative evaluation to use in the checklist. Implementing this check- 
list can extract more easily digestible quantitative data from the in- 
formation managers’ less structured knowledge. Checklists have long 
been popular in computer security, with proponents including Mercuri 
(http : / /www . notablesof tware . com/ checklists . html ) . 

For example consider a checklist using threat source: High likelihood 
as 0.9, medium likelihood as 0.5, and low likelihood as 0.1. We can 
also use a more detailed scale such as: Very high, high, medium, low, 
and very low, and use 0.9, 0.7, 0.5, 0.3, and 0.1, respectively, for these 
likelihoods. Yet greater granularity without greater certainty is illusory, 
and does not provide greater accuracy. The individual who assigns the 
variables may choose the specificity. 

The checklist can be written in an interactive form and should allow 
a minimum of three possible answers: “yes”, “no”, or “not relevant”. 
Questions should be asked in a way that a “yes” answer means that the 
control exists and a “no” answer means that the control does not exist. 
A control is relevant when both the asset to be protected and the threat 
exist. 

For example, one critical element to evaluate data integrity can be, 
“Is virus detection and elimination software installed and activated?” A 
subordinate question for the above question could be, “Are virus scans 
automatic?” The answer to this question might be “yes”, “no”, or “not 
relevant”. A metric for this evaluation can be the percentage of systems 
with automatic virus scanning, which can help gauge the risk exposure 
caused by known viruses. 

We provide below a model of classification of security threats and de- 
velop three axes to create a threat space and a scheme for probabilistic 
evaluation of impact of the security threats (Farahmand et al, 2003). In 
this classification, threats are considered from both the perspective of 
the threat agent and the threat technique. A threat is manifested by a 
threat agent using a specific penetration technique to produce an unde- 
sired effect on the network. Threat agents include environmental factors, 
authorized users, unauthorized users and the threat (penetration) tech- 
nique could be personnel, physical, hardware, software, or procedural. 
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3. Threat Agent 

The evaluation of the threat agent is dominated by physical environ- 
mental failure, insider attacks and external unauthorized access. 

Environmental Factors Although it is common sense, one should re- 
member to account for environmental factors. Some areas are more 
prone to certain environmental influences and natural disasters 
than others. Some types of disasters, such as fire, are not geo- 
graphically dependent, while others, such as tornadoes and floods, 
can be anticipated on a more regular basis in specific areas. In 
addition to the natural disasters, attention should be paid to the 
danger of mechanical and electrical equipment failure and the in- 
terruption of electrical power. 

Authorized users Authorized users and personnel engaged in sup- 
porting operations can be considered as potential threats when 
they exceed their privileges and authorities or commit errors, thus 
affecting the ability of the system to perform its mission. Per- 
sonnel granted access to systems or occupying positions of special 
trust and having the capability or opportunity to abuse their access 
authorities, privileges, or trusts should be considered as potential 
threats. 

Unauthorized users An unauthorized user can be anyone not engaged 
in supporting operations that, by design, attempts to interrupt the 
productivity of the system or operation either overtly or covertly. 
Overt methods could include outright acts of sabotage affecting 
hardware and associated equipment, as well as subtle efforts of de- 
struction, which could be accomplished through the manipulation 
of software, both systems and application. 

4. Techniques 

We classify techniques into physical, personnel (related), hardware, 

software, and procedural. 

Physical Physical penetration implies use of a physical means to gain 
entry into restricted areas such as building, compound room, or 
any other designated area. 

Personnel Penetration techniques and methods generally deal with the 
subverting of personnel authorized some degree of access and priv- 
ilege regarding a system, either as users or operators (operators 
would include system-analysts, programmers, input/output sched- 
ulers, etc.). They can be recruited by a threat agent and used to 
penetrate the system, operation or facility, or they themselves can 
become disaffected or motivated to mount an attack. 
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Hardware Attacks can be mounted against hardware for the purpose of 
using the hardware as a means of subverting or denying use of the 
system. A physical attack against the equipment, a bug implanted 
within a hardware controller, or an attack against the supporting 
utilities, are means of subverting the system by using the char- 
acteristics of the hardware. Hardware, as used in this category, 
generally includes any piece of equipment that is part of the sys- 
tem. (i.e., the mainframe, peripherals, communications controllers, 
or modems), it also includes indirect system support equipment, 
such as power supplies, air conditioning systems, backup power, 
etc. 

Software Software penetration techniques can be directed against sys- 
tem software, application programs, or utility routines. Software 
attacks can range from discreet alterations that are subtly im- 
posed for the purpose of compromising the system, to less discreet 
changes intended to produce results such as destruction of data or 
other important systems features. 

Procedural Authorized or unauthorized users can penetrate the sys- 
tem due to lack or inadequacy of controls, or failure to adhere to 
existing controls. Examples of procedural penetration include for- 
mer employees retaining and using valid passwords, unauthorized 
personnel picking up output, and users browsing without being 
detected due to failure to diligently check audit trails. 

At a more detailed level, the ISO 7498-2 Standard (1989), lists five 
security control measures to combat these threats: 1) Authentication, 
2) Access Control, 3) Data confidentiality, 4) Data integrity, and 5) 
Non-repudiation. This classification is widely accepted among computer 
security experts, and the authors also recommend them as good control 
measures. These security measures along with agents and techniques are 
shown in Figure 2. One can use this figure to classify threats (agents and 
the techniques) to e-commerce and security measures to confront these 
threats. For example, access control is one of the security measures 
to confront the threats that may be caused by an unauthorized user 
through software. In total, there are 5x3x5 combinations of threat 
technique, agent, and security measure (see Figure 1); however not all of 
these combinations are applicable. For example, non-repudiation cannot 
be a security measure for the threats caused by environmental factors 
or by a procedural technique. We are using this three-dimensional view 
of threat agents, techniques, and security control measures for a better 
quantitative assessment and management of security risk. 

5. Risk Management System 

We believe that the cost of an information system security incident 
on a company has to be measured in terms of the impact on its business; 
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Figure 7.1. Combination of agents, techniques and security measures 



hence identical incidents in two different companies could have different 
costs. To evaluate these costs and measure the impact of a security inci- 
dent on a company, we need a systematic approach and a comprehensive 
risk management system. Such a comprehensive security risk evaluation 
system is currently under development at the College of Computing, 
Georgia Institute of Technology. This system with five stages is aimed 
at helping managers to identify the vulnerabilities of their companies 
and to select the countermeasures and it includes: Resource and ap- 
plication value analysis, Vulnerability and risk analysis. Computation of 
losses due to threats and benefits of countermeasures, Selection of Coun- 
termeasures and Evaluation of implementation alternatives (Farahmand 
et al. 2004). 
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